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ABSTRACT 


A  formal  system  is  described  within  which  we  may  represent 
the  communication  and  concurrency  features  found  in  systems  of 
interacting  computing  agents.  This  formal  system  may  be  used  both 
as  a  model  in  which  to  represent  the  behaviour  of  existing  systems 
of  computing  agents  or  as  a  language  in  which  to  program  desired 
systems.  The  notion  of  acceptance  semantics  is  introduced  and  it 
is  in  terms  of  this  that  we  give  meaning  to  programs  constructed  in 
our  framework. 
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THE  REPRESENTATION  OF  COMMUNICATION 
AND  CONCURRENCY 

1.  INTRODUCTION 
1 .  1  Description  of  Systems 

In  the  study  of  computation,  or  computer  science  if  you  like, 
we  not  only  have  to  learn  how  to  build  systems  on  which  to  perform 
computations;  we  also  must  know  how  to  describe  such  systems. 

Formalism  is  required  to  enable  us  to  describe  and  discuss  a 
computation  system  in  a  precise  and  unambiguous  manner.  Computa¬ 
tion  i3  a  precise  science  and  there  is  little  use  in  only  being  able  to 
describe  systems  informally. 

When  systems  are  computing,  they  are  performing  actions; 
evaluating  functions  or  communicating  with  other  systems,  for 
instance.  The  sequence  of  actions  performed  by  a  system  is  its  be¬ 
haviour.  It  is  the  behaviour  of  a  system  which  we  wish  to  be  able 
to  describe  formally. 

We  shall  use  mathematical  and  logical  concepts  in  constructing 
a  framework  in  which  to  describe  behaviour.  This  allows  us  to 
specify  and  describe  systems  in  precise  terms  and  to  reason  formally 
about  their  behaviour  using  mathematical  techniques.  The  specifica¬ 
tions  of  a  system  using  a  formalism  allows  one  to  inform  others 
about  a  system  unambiguously.  This,  together  with  the  ability  to 
perform  proofs  about  the  behaviour  of  a  system,  are  two  of  the  main 
reasons  we  wish  formal  descriptions. 
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In  systems  where  there  is  a  single  locus  of  control,  executing 
a  program  written  in  a  serial  language  for  instance,  we  are  able  to 
describe  the  behaviour  using  functions.  Either  we  take  the  function 
to  be  the  behaviour  itself  and  so  the  program  denotes  the  function, 
as  in  denotational  semantics,  or  the  behaviour  is  given  in  terms  of 
an  abstract  machine  which  evaluates  the  program.  Here,  in  this 
operational  semantics,  we  have  functions  with  the  state  of  the 
abstract  machine  being  the  domain  and  range. 

We  wish  to  produce  a  formalism  in  which  to  represent  the 
behaviour  present  in  systems  which  are  composed  from  a  number 
of  computing  agents,  either  hardware  or  software.  These  agents  will 
operate  concurrently  and  are  linked  together  forming  a  complex  of 
interacting  components.  Networks,  multiprocessor  machines  and 
concurrent  programs  fit  into  the  above  category.  Indeed,  most  systems 
we  meet  involve  some  degree  of  concurrency  and  so  could  be  des¬ 
cribed  in  the  formalism,  or  specification  language,  which  we  construct 
in  this  paper. 

.  2  Our  Approach 

The  formalism  presented  aims  to  allow  us  to  describe  complexes 
of  computing  agents  in  which  communication  and  concurrency  is 
inherent.  The  formalism  aims  to  be  both  a  framework  in  which  to 
represent  the  behaviour  of  existing  systems  and  a  language  in  which 
to  program  the  desired  behaviour  of  projected  systems.  It  is  believed 
that  most  existing  systems  can  be  represented  in  the  formalism  in  an 
intuitive  fashion  and  that  we  should  find  it  more  natural  to  program 
certain  phenomena  in  our  language  rather  than  in  existing  frameworks. 
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We  shall  use  the  words  framework,  formalism  and  language  inter¬ 
changeably. 

There  are  certain  features  which  we  require  our  language  to 
clearly  represent.  These  occur  frequently  in  systems  and  include 
the  communication  between  agents,  the  inherent  nondeterminism 
within  some  agents,  and  the  possibility  of  deadlock  among  the  complex 
of  agents. 

That  the  language  achieves  these  goals  will  be  illustrated  by 
giving  a  collection  of  examples  which  examine  the  representation  of 
such  features  in  detail.  These  examples  should  also  indicate  to  the 
reader  the  underlying  philosophy  adopted  in  this  work.  It  is  hoped  to 
be  able  to  fully  justify  the  choices  taken  in  arriving  at  the  formalism 
by  use  of  a  set  of  primitive  examples. 

The  language  itself  consists  of  a  set  of  operations  allowing  us 
to  construct  programs  from  smaller  programs.  A  number  of 
primitive  operators  gives  us  the  lowest  level  programs.  Each 
operator  should  not  be  considered  just  by  itself  but  should  be  thought 
of  in  its  relation  to  others,  though  some  have  more  significance  and 
are  indeed  more  powerful  than  others. 

Together  with  these  operators  we  have  a  set  of  axioms  which 
the  programs  will  satisfy.  These  axioms  permit  us  to  manipulate 
the  syntax  of  programs  while  preserving  their  semantics  or  meaning. 
Various  properties  of  programs  may  be  proved  by  the  use  of  the  axioms. 

To  give  the  semantics  of  the  language  we  introduce  the  notion  of 
acceptance.  The  behaviour  of  a  program  is  given  by  its  ability  to 
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accept,  or  reject,  stimuli  which  are  imposed  on  them.  In  terms  of 
this  semantics,  we  introduce  the  notions  of  equivalence  and  congruence 
between  programs  and  show  that  our  axioms  are  consistent.  This 
experimental  semantics  is  operational  in  nature;  we  experiment  on 
programs  by  giving  them  all  possible  stimuli  belonging  to  a  set 
known  as  a  sort  and  see  how  the  programs  react.  They  can  react 
by  evolving  into  a  new  program  or  by  rejecting  the  stimulus  and,  in 
effect,  destructing.  Due  to  programs  being  able  to  react  to  one  of  a 
number  of  different  stimuli  at  a  time,  we  wish  to  observe  how  they 
react  to  all  possible  stimuli.  Due  to  programs  having  the  ability  to 
represent  nondeterminism,  a  number  of  different  programs  may 
result  from  some  given  stimulus. 

In  the  language,  we  have  features  which  allow  us  to  distinguish 
between  a  program  which  can  at  some  instance  react  to  a  number  of 
different  stimuli  and  produce  (usually)  different  programs  and  a 
program  which  may  produce  different  programs  on  receipt  of  a  single 
stimulus.  The  former  utilizes  a  choice  construct  in  the  language 
whilst  the  latter  a  nondeterminism  language  construct. 

When  programs  communicate  with  others,  then  they  themselves 
resolve  the  choice  which  can  be  made  with  only  one  interaction  taking 
place  at  a  time,  but  nondeterminism  is  an  internal  feature  of  a 
program  and  no  other  program  can  influence  the  outcome  of  a 
communication;  the  outcome  is  nondeterministic.  Nondeterministic 
programs  can  arrive  in  two  ways;  they  represent  the  behaviour  of 
possibly  physical  computing  agents  which  for  some  reason  or  other 
are  intrinsically  nondeterministic  in  behaviour;  or  they  represent 
complexes  of  agents  where  we  have  abstracted  away  from  the  programs 


4 


(or  parts  of  programs)  which  cooperate  to  resolve  a  choice,  so 
introducing  nondeterminism.  This  situation  arises  where  a  choice 
could  previously  have  been  made  but  can  now  no  longer  be  effected 
since  the  part  of  the  program  which  participates  in  the  choice  has 
been  hidden  so  preventing  a  choice  being  made  externally  to  the 
program. 

Communication,  and  so  also  our  stimuli,  take  place  via 
ports.  If  we  imagine  our  program  in  reality  as  a  machine  running 
that,  and  only  that  program,  the  ports  are  the  physical  places  on 
such  machines  where  the  wires  between  machines  plug  into.  Ports 
have  distinct  identities  and  it  is  this  which  allows  us  to  program 
distinct  communications. 

Meaning  is  given  to  our  language  using  acceptors  and  this 
semantics  should  accurately  describe  the  intended  behaviour  though 
sometimes  in  a  rather  complex  manner.  It  is  believed  that  a  similar 
semantics  which  may,  in  a  clearer  way,  give  different  meanings  to 
the  choice  and  nondeterminism  operators,  could  be  formulated  by  the 
introduction  of  the  Q  and  0>  rnodal  operators,  capturing  the  notion  of 
"always"  and  "sometimes"  respectively.  This  then  gives  us  the  ability 
in  our  semantics  to  talk  about  experiments  which  "always  can"  happen 
and  about  ones  which  "possibly  may"  happen.  It  would  be  hoped  that 
these  two  semantics  would  be  equivalent.  A  formulation  of  the  modal 
semantics  and  an  equivalence  proof  between  the  semantics  remains  to 
be  performed. 
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2. 


THE  LANGUAGE 


2.  1  Primitive  Language  Constructs 

To  help  illustrate  the  concepts  which  we  capture  using  the 
language  operators,  we  introduce  synchronisation  trees  as  a  des¬ 
criptive  tool.  The  meaning  of  our  syntax  can  then  be  represented 
by  trees  and  the  syntax  taken  to  denote  this  tree  semantics.  We  do 
not  intend  to  formalise  this  denotational  semantics;  only  use  it  to 
explain  meaning  in  terms  of  the  well-understood  notion  of  trees. 

An  operational  semantics  which  gives  meaning  to  programs  by 
experimenting  upon  them,  is  given  later. 


We  have  three  primitive  language  operators,  the  first  being 
guarding.  This  takes  a  program  and  appends  in  to  something  called 
a  synchronisation  label  to  produce  a  new  program.  For  label  a  and 
program  p  then  ap  is  this  constructed  program.  Labels  for  the 
moment  can  be  thought  of  as  events,  with  programs  being  constructed  out 
of  them  using  our  operators.  Interaction  between  programs  takes 
place  using  these  labels.  Semantically,  programs  denote  trees  while 
labels  denote  named  arcs  on  the  tree.  If  tree  A  is  denoted  by 
program  p  then  program  ap  denotes  the  tree  .  Guarding  gives 

us  sequentiality.  In  the  above  program  p  follows  the  a  event. 


We  wish  programs  to  be  able  to  cooperate  with  others,  and 
depending  on  the  other  programs,  to  be  able  to  perform  different 
actions.  A  choice  operation  +  allows  this;  it  takes  two  programs 
and  produces  another  program.  For  programs  p^  and  p^  then  p^  +  p^ 
is  another  such  program. 
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In  terms  of  synchronisation  trees,  the  *  node  represents  this 
externally  resolvable  choice.  The  program  p^  +  p^  denotes  the  tree 


As  an  example^  the  two  programs  ar  and  (3s  are  composed  to  give 
program  ar  ^  +  (3r_,  which  denotes  tree 


Now  a  program  may,  for  some  reason  or  other  (to  be  made 
clear  later),  nondeterministically  wish  to  perform  certain  events,  or 
to  perform  some  other  events,  but  not  their  union.  A  program 
interacting  with,  or  communicating  with,  this  one  has  no  control  as 
to  which  of  the  sets  it  will  be  able  to  interact  with;  the  nondeterministic 
choice  will  somehow  be  made  internally.  For  programs  p^  and  p0, 
the  program  p^  ©  p^  is  their  nondeterministic  composition.  The  O 
node  is  used  to  indicate  a  nondeterministic  branch  in  a  tree. 

p^  ©  p^  denotes  the  tree 


As  an  example,  the  program  (ap  +  (3q)  ©  Yr  denotes  the  tree 
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Our  trees  are  thus  bipartite.  Some  arcs  are  not  labelled; 
these  join  ©  roots  to  •  nodes.  Arcs  joining  •  roots  to  O  nodes 
will  always  be  labelled.  O  nodes  will  always  have  their  O  off¬ 
spring  separated  from  them  by  at  least  one  level  of  •  nodes.  This 
is  due  to  us  not  labelling  arcs  appearing  from  0  nodes  and  the 
associativity  of  the  ©  operation.  We  have  tree 
rather  than  the  trees 


The  •  nodes,  corresponding  to  +,  may  have  •  as  their  direct 
descendants  since  the  arcs  joining  these  •  nodes  will  always  carry 
a  label. 

The  final  primitive  operator  is  a  nullary  one  A.  That  is,  A 
takes  no  arguments,  and  is  itself  a  program;  the  null  program.  A 
represents  termination  and  deadlock.  Termination  and  deadlock  are 
very  similar  with  termination  being  specified  directly  as  a  property 
of  a  single  program  and  deadlock  being  a  property  of  a  number  of 
interacting  programs.  An  agent  which  wishes  to  perform  event  x  or 
event  (3  (to  be  decided  on  by  the  environment,  i.e.,  other  programs) 
and  in  either  case  to  then  terminate,  is  represented  by  program 
aA  +  (3A.  The  appearance  of  A  representing  deadlock  will  be  described 
in  Chapter  5. 

2.  2  Sorts 


Imagine  a  program  as  representing  a  special  purpose  machine 
executing  that,  and  only  that  code.  As  programs  will  communicate 
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with  others  so  machines  will  communicate  with  other  machines.  To 
carry  the  analogy  further,  we  join  machines  using  wires  over  which 
communications  pass.  Each  machine  has  a  number  of  ports  which 
can  be  considered  as  the  sockets  into  which  the  wires  are  fixed. 
Ports  are  used  to  both  send  and  receive  signals  and  to  enable  us  to 
specify  how  send  and  receive  ports  are  interlinked,  we  introduce 
naming  on  ports  via  labels. 

To  illustrate  the  labelling  and  linkages  between  machines,  we 
may  picture  machines  as  boxes.  These  boxes  have  ports  on  the 
periphery,  some  of  which  are  labelled.  The  convention  between 
machines  is  that  similarly  labelled  ports  are  linked. 


We  shall  permit  two  or  more  ports  with  the  same  label  to  be 
joined  together  and  to  facilitate  this  we  move  the  label  to  a  connector 
between  the  joined  ports,  and  join  on  further  ports  via  this  connector. 
A  connector  has  no  further  significance.  Three  machines,  which  can 
be  thought  of  as  being  concurrently  active,  can  be  linked  together  as 
follows : 

5 

Y 


t 
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A  set  of  labels  is  known  as  a  sort.  Each  of  the  machines, 
or  boxes  above,  has  a  sort  and  the  program  which  describes  the 
behaviour  of  each  machine  will  also  have  a  sort. 

The  labels  which  form  sorts  lie  in  the  name-set  A.  Every 
program  we  have  will  have  a  sort  though  not  all  sorts  will  be  made 
explicit.  The  labels  used  by  a  program  must  lie  in  its  sort  but  the 
sort  may  well  contain  others. 

Thus,  program  ap  +  pq  may  have  the  following  sorts:  {a,  (3}, 

{or,  (3,  5},  {at,  (3,s}  and  many  others.  The  rules  for  defining  programs 
and  for  constructing  programs  from  programs  will  tell  us  what  the 
sort  of  a  program  is.  The  sort  is  therefore  implicit  and  is  given 
by  context. 

As  A  is  a  program  then  this  null  program  will  also  have  a 
sort.  We  therefore  may  have  A  ^  A  where  the  two  occurrences  of  A 
may  have  different  sorts.  Subscripting  of  A  with  its  sort  will  some¬ 
times  be  used  to  avoid  such  problems,  but  again  the  context  usually 
helps  us. 

2.  3  Machines,  Behaviours  and  Programs 

What  is  the  difference  between  machines,  programs  and 
behaviours?  As  we  wish  to  be  able  to  represent  both  hardware  and 
software  computing  agents  without  distinction,  then  to  make  it  easier 
to  talk  about  the  topology  of  these  concurrent  systems,  we  use  the 
physical  analogy;  machines,  ports  and  wires.  A  machine,  of  course, 
has  a  behaviour  given  in  our  formalism,  and  the  machine  may  be 
realised  physically  or  by  using  software;  it  does  not  concern  us  which 
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We  represent  the  behaviour  not  the  implementation  which  produces 
that  behaviour. 

Conceptually  we  are  producing  a  formalism  in  which  to  both 
represent  concurrent  systems  and  to  program  concurrent  systems.  What 
a  representation  and  a  program  have  in  common  is  behaviour,  or  to 
use  another  word,  meaning. ::  The  representation  or  model  aims  at 
capturing  the  underlying  behaviour  of  the  system;  the  program  is  a 
representation  or  a  denotation  of  an  intended  behaviour.  In  fact,  we 
will  model  a  concurrent  system  using  a  program  and  the  behaviour 
of  the  system  is  then  given  in  terms  of  a  formal  semantics  for  the 
language  in  which  the  program  is  written.  Formally,  a  model  is 
designed  with  respect  to  the  properties  we  wish  to  represent.  In  our 
case  it  is  qualitative  concepts  such  as  termination,  deadlock  and 
equivalence  but  other  properties  may  be  modelled.  For  instance, 
we  have  performance  models  of  operating  systems  using  queuing 
techniques  and  simulation.  We  can  also  have  such  quantitative  models 
as  in  the  realm  of  complexity  theory.  We  do  not  concern  ourselves 
with  these  two  latter  types  of  properties. 

We  use  the  word  model  in  the  sense  of  quantitative  representa¬ 
tion.  To  model  a  complex  of  interlinked  computing  agents  requires 
us  to  represent  the  complex  by  some  syntax;  namely,  a  program. 

To  specify  the  behaviour  of  this  program  requires  that  we  have  a 
semantics  for  the  language  in  which  the  program  is  constructed.  This 
semantics  gives  meaning  to  the  program.  Thus  the  representation  of 
some  particular  computing  agent,  or  complex  of  computing  agents, 
consists  of  a  program  and  the  semantics  of  the  language.  We  can 
then  reason  about  properties  of  the  real  system  by  reasoning  about 

their  representations  in  our  formalism;  our  model. 

11 


The  model  we  describe  in  this  paper  consists  of  a  language 
and  a  semantics  for  the  language.  We  model  the  behaviour  of  a 
complex  of  agents  via  a  program  in  our  language.  Its  behaviour, 
and  so  that  of  the  complex,  is  given  by  the  formal  semantics  of  the 
language. 

Our  language  for  complexes  of  a  single  computing  agent  has 
been  described  so  far.  This  sequential  language  is  extended  to  deal 
with  a  world  of  concurrently  active  computing  agents;  complexes  with 
more  than  one  agent.  This  is  dealt  with  later  but  first  we  will  give 
an  operational  semantics  for  the  language  defined  so  far. 

2. 4  Acceptance  Semantics 

We  have  informally  described  the  properties  of  single  computing 
agents  which  our  formalism  may  represent.  We  will  now  formally 
give  the  semantics  of  our  syntactic  constructs  using  the  notion  of 
acceptors.  Our  operational  semantics  is  then  what  we  shall  call  an 
acceptance  semantics. 

Definition.  For  every  subset  L  of  a  name-set  A  then  L  is 
known  as  a  sort.  The  acceptance  semantics  is  given  by  an  acceptance 
relation  of  type 

(PROG  X  A)  X  (PROGU  {*}) 

where  PROG  is  the  set  of  programs  to  be  the  words  algebra 
formed  from  the  signature  S  where 

2  =  AU  {  A  ,  +,©,»,-} 
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A  is  a  nullary  operator  and  A  is  a  set  of  unary  operators  known  as 

labels.  +,  ©  and  •  are  all  binary  operators  while  for  X  ranging 

over  A  then  —  X  is  a  unary  operator.  The  set  PROG  may  be 

partitioned  according  to  sort  such  that  PROG  =  PROG, 

L  u 

PROG  is  then  the  union  of  all  phyla  PROG^  for  all  sorts  L; 
that  is,  for  all  subsets  L  of  the  name- set  A. 

Our  acceptance  relation  between  (PROG  X  A)  and  (PROG  U  {*}) 
will  be  restricted  to  taking  (program,  label)  pairs  where  the  labels 
lie  in  the  sort  of  the  program.  The  relation  is  undefined  for 
(program  label)  pairs  where  the  label  lies  outside  the  sort  of  the 
program. 

Technically,  we  could  have  effected  this  by  having  a  family  of 
relations,  one  relation  for  each  sort.  Then  for  each  sort  L  we  have 
a  relation  of  type 

(PROGl  X  L)  X  (PROGl  u  {*}). 

It  will  generally  be  understood  what  the  sort  of  a  given  program  is 
and  thus  we  need  not  usually  explicitly  specify  it. 

The  symbol  *  is  not  in  the  syntax  of  the  language  but  is  a 
meta- symbol  used  in  the  semantics. 

Meaning  is  given  operationally  to  programs  in  our  language 
using  the  family  of  acceptance  relations.  A  program  and  a  label 
from  its  sort  will  produce  either  a  new  program  or  the  symbol  * 
under  the  relation.  An  experiment  is  performed  here  in  that  a  label 
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is  given  to  a  program  and  the  resulting  program  (or  *)  indicates  how 
the  original  program  reacts  to  the  stimulus  of  the  label. 

For  programs  p,  p' ePROG^  and  label  SeL  then  the 
relation  (  (p,  £),  p')  for  sort  L  is  written  as 

L 

(p,  S)  —  p' 

and  indicates  that  after  an  £  stimulus  the  program  p  evolves  into 
program  p'.  Our  relation  can  be  thought  of  as  defining  an  acceptor; 
here  program  p  accepts  £  and  evolves  to  program  p' . 

L 

If  (p,  Z)  — ■  *  then  under  our  Z  stimulus  p  produces  *  ;  it  does 
not  accept  the  Z  and  so  does  not  produce  a  new  program.  The  label 
Z  has  not  been  rejected  though;  program  p  has  evolved  into  a 
degenerate  state  on  receipt  of  the  £  stimulus. 

The  sort  of  a  program  will  generally  be  understood  and  it  will 
usually  not  be  necessary  to  put  a  sort  superfix  on  the  symbol  as 

mentioned  previously. 

For  any  program/label  pair  a  number  of  outcomes  may  result; 
the  inherent  nondeterminism  of  the  language  may  cause  different 
programs  to  result  when  the  same  original  program  is  provided  with 
the  same  stimulus  label.  But  whether  a  program  is  nondeterministic 
or  not,  to  fully  specify  its  meaning  we  need  to  see  how  it  reacts  to 
all  possible  stimuli  contained  in  its  sort. 

The  semantics  of  programs  constructed  from  the  signature 
set  L  U  {A,  + ,  ©}  for  some,  LC  A  is  given  by  the  smallest  relation 
satisfying 
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for  a  and  (3  ranging  over  L. 

i ,  (ap,  a)  —  p  2.  (ap,  (3)  — •  * 


(p>g)  —p*. 

(p+q,  a)  —  p( 


(q>  a)  —  q1 
^P+q,  a)  —  q' 


(p,  a)  —  *  A  (q,  a)  * 
(p+q,  a)  —  * 


6.  1 


(p,  a)  —  p1 

(p  Qq,  a)  —  p' 


6.  2 


(P,  *  _ 

(p  ©q,  a)  —  * 


(q?  <*Lr-  a.*.  - 

(p  ©q,  a)  —  q1 


7.  2 


(q,  or)  —  * _ 

(p  ©  q,  a)  * 


8.  (  A,  or)  -*  * 


All  relation  symbols  —  could  have  had  L  as  superfix.  We  therefore 
see  that  the  following  programs  all  have  the  same  sort  L  where  are  L; 


p,  q,  arp ,  p  +  q,p©q,A. 

It  should  be  pointed  out  that  |3  is  a  member  of  L.  since  (ap,  (3)  -*■  *. 

If  (3  4  L  then  the  relation  for  (ap,  (3)  would  be  undefined. 

A  here  is  of  sort  L  but  we  will  have  a  A  for  each  possible 
sort.  To  be  more  precise,  we  should  have  a  collection  of  them  each 
subscripted  by  its  sort,  but  once  again,  we  trust  the  context  to  keep 
us  right  and  so  avoid  the  need  for  these  subscripts. 
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We  have  defined  the  semantics  for  a  primitive  language  not 
having  the  ability  to  represent  concurrency  and  communication.  This 
comes  later.  First  we  shall  explain  the  intuition  behind  our  definition 
of  the  relations  used  in  our  acceptance  semantics. 

1.  (or,  p,  a)  -*■  p  Program  arp  accepts  an  a  label  and 

evolves  to  program  p.  That  is,  an  a 
stimulus  is  given  to  arp  and  program 
p  results. 

2.  (arp,  (3)  -*  *  Program  arp  when  given  a  (3  stimulus 

does  not  accept  it. 

If  program  p  can  accept  an  a  label 
and  evolve  to  p'  then  so  can  program 
p+q.  Clause  4  is  similar. 

If  both  programs  p  and  q  can  fail 
when  given  an  a  stimulus,  then  p  +  q 
can  also  fail  to  accept  an  a. 

If  program  p  receives  an  or  stimulus 
and  evolves  either  to  program  p1  or 
to  *  (where  p'  =£  *)  then  so  also  does 
p  ©  q.  Clauses  7.1  and  7.2  are  similar. 

8.  (A,  or)  — The  A  program  cannot  accept  any  label. 

It  will  produce  *  on  all  stimuli. 
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In  our  language  we  shall  wish  to  say  which  programs  are 
equivalent,  that  is,  which  programs  behave  similarly.  For  two 
programs  p  and  q,  we  say  they  are  equivalent  if  they  produce 
equivalent  programs  given  the  same  stimulus,  for  all  stimuli  in  their 
sorts.  Also,  for  a  given  stimulus,  if  *  results,  then  *  must  result 
when  an  equivalent  program  gets  given  the  same  stimulus. 

Definition..  Programs  p  and  q  of  sort  L  are  equivalent 
written  p  s  q,  iff  V  a  e  L.  We  have 


a) 

(P»  a) 

—  * 

=>  (q,  a)  —  * 

b) 

(q.  a) 

—m  * 

=£>  (p.  Of)  —  * 

c) 

(P.or) 

—  p' 

=>  ^  q'  such 

that 

(q,  or)  —  q' 

and  (p1 

a  q') 

d) 

(q.  or) 

—  q' 

=>  ^  p*  such 

that 

(p»  Of)  —  P' 

and  (p1 

~  q') 

This  definition  of  equivalence  is  recursive  but  is  adequate  for  finite 
programs.  Finite  programs  terminate  using  A. 

To  handle  recursively  defined  programs,  we  introduce  a  new 

equivalence  ~  where  ~  is  taken  to  be  the  intersection  of  ascending 

indexed  relations  ~  .  Thus  ~  is  defined  to  be  Pi  (~  )  where  p~,>q 

n  n  '  n  r  CP 

always  holds  and  for  programs  p  and  q  of  sort  L 

p  ~n+lq  iff  VaeL* 

a)  (p,  a)  —  *  =*>  (q ,a)  — *  * 

b)  (q ,  a)  —■  *  =S»  (p,  a)  —  * 

c)  {p,  a)  —  p1  =0  such  that  (q,  a)  -*■  q'  and  p1  ~nq' 

d)  (q,  a)  -*■  q'  =>  ^  P  such  that  (p,  a)  — *•  p'  and  p'  ~nq‘ 
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We  will  perform,  induction  on  the  "depth"  of  the  equivalence 
when  proving  two  programs  p  and  q  equivalent. 

Later  we  shall  prove  that  ~  is  actually  a  congruence.  That 
for  all  contexts  C  which  can  be  constructed  in  our  language,  then 

p  ~  q  =>  C  [p]  ~  C  [q]  . 

A  context  is  a  program  with  a  "hole"  in  it.  C  [p  ]  has  this  hole 
replaced  by  program  p. 
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INTERACTION  BETWEEN  PROGRAMS 
3*  1  Interaction  Between  Machines 

Until  now  we  have  only  concerned  ourselves  with  the  behaviour 
of  a  single  machine.  We  now  introduce  language  features  which 

allow  us  to  represent  systems  of  machines.  These  machines  will 
compute  concurrently  and  will  interact  with  each  other  by  synchronised 
communication  from  time  to  time. 

The  behaviour  which  we  capture  in  this  framework  is  that  of 
programs,  or  other  computing  agents,  being  given  an  external 
stimulus  and  evolving  into  some  new  program.  The  formal  semantics 
of  the  "single  component"  language  presented  so  far  relies  on  this 
notion  of  stimulus.  A  stimulus  is  accepted  and  either  produces  a 
new  program,  or  causes  failure  and  so  prevents  any  other  stimuli 
from  being  accepted.  Note  that  a  program  can  always  accept  a 
stimuli  but  that  it  may  well  cause  failure.  Suppose  the  machine  has 
behaviour  denoted  by  program  ap  +  (3q.  Then  it  can  receive  a  stimulus 
at  port  or  and  evolve  into  a  new  behaviour  denoted  by  program  p  or  it 
can  receive  stimulus  at  port  |3  and  evolve  to  program  q.  The 
environment  only  sends  one  stimulus  at  a  time  but  regardless  of 
whether  it  is  an  a  or  p  the  program  can  respond  and  evolve  to  sub¬ 
programs  p  and  q  respectively. 

We  have  assumed  that  these  stimuli  are  produced  by  the 
environment  and  our  semantics  says  what  happens  to  a  program 
when  they  are  accepted.  The  environment  may  well  be  another 
program,  and  so  programs  not  only  have  the  ability  to  receive  stimuli 
but  have  the  ability  to  generate  stimuli. 
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Now  the  environment  can  also  be  thought  of  as  a  machine  E 
generating  stimuli  on  the  various  "lines”  connecting  it  with  machine 
M.  When  a  synchronisation  takes  place  the  two  machines  M  and  E 
which  are  concurrently  running  programs,  may  exchange  stimuli  on 
one,  and  only  one,  of  the  lines  and  their  behaviours,  represented  by 
programs  m  and  e  evolve  into  new  programs  m'  and  e'. 

In  our  language,  we  shall  not  distinguish  between  generated 
and  received  stimuli.  The  reason  for  this  is  that  we  are  interested 
in  how  the  stimuli  synchronise  at  instances  in  the  life  of  our  system. 
The  generation  and  receipt  of  a  stimulus  is  considered  as  an  instan¬ 
taneous  act  between  programs.  This  act  requires  synchronisation 
between  the  participating  programs.  Synchronisation  can  therefore 
be  thought  of  as  an  instantaneous  exchange  of  stimuli  with  only  one 
such  synchronisation  taking  place  at  a  time. 

Earlier  we  showed  how  programs  may  be  pictured  as  machines 
having  ports.  The  ports  are  used  to  link  machines  together  to  form 
complexes,  or  systems,  of  machines.  The  convention  adopted  is 
that  similarly  labelled  ports  get  joined  through  a  connector  node. 

For  machines  M,  N  and  O  as  follows: 

M  °  <*  6"  N  oY  Yo  O 

-♦■I  L— •—*  — •— 

p  a  a 


they  link  together  to  give  the  following  complex: 
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We  see  that  M,  N  and  O  have  made  a  three-way  linkage  using 
a  ports  and  a  two-way  linkage  via  the  y  ports.  The  (3  and  5  ports 
still  have  not  been  connected  but  they,  as  well  as  the  a  and  y 
connectors,  can  be  used  to  attach  further  machines. 

We  now  have  a  convention  for  representing  the  communication 
structure  of  a  system.  But  this  is  purely  static  as  we  have  not 
specified  the  behaviour  of  the  complex  of  machines;  we  have  not 
said  how  they  use  the  communication  lines  to  exchange  stimuli  among 
themselves. 


If  m,  n  and  o  are  the  programs  in  our  language  which  specify 
M,  N  and  O— the  programs  running  on  M,  N  and  O  if  you  like— then 
the  composite  system  is  m»n«o.  How  does  this  composition 
operation  work?  That  is,  what  are  its  semantics? 


For  programs  p  and  q  of  sorts 


L  and  L  respectively: 
P  q 


(P»  a)  —  p'  a  (a  fihQ) 

(p»q.  a)  —  p'«q 


10. 


(q,  a)  —  q'  a  (a^LQ) 
(p#q,  a)  —  p#q' 


(p,  a)  •—  p'A  (q,  g)  —  q* 
(P»<l»a)  —  p'«q' 


12. 


(P»  <*)-»* 

(p*q»  a)  —  * 


(q»«)  _  * 

(p*q  ,a)  —  * 
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The  relation  below  the  line  in  each  of  these  clauses  should 


have  L  U  L  superscripted  on  the  •  operator,  but  we  know  implicitly 
P  ^ 

that  the  sort  of  p#q  is  the  union  of  the  sorts  of  its  components. 


To  explain  how  p«q  behaves  in  terms  of  acceptor  semantics, 
first  note  that  we  are  considering  p  and  q  as  two  concurrently  active 
programs  which  either  communicate  with  each  other  by  the  exchange 
of  stimuli  or  attempt  to  interact  with  the  environment,  i.e.,  receive 
a  stimulus  from  the  environment. 


The  first  clause,  clause  9*  states  that  if  p  accepts  an  a 
stimulus  which  does  not  result  in  *,  say  program  p,  and  if  a  is  not 
a  member  of  the  sort  of  q,  then  p*q  accepts  an  a  stimulus  and  evolves 
into  p#q.  Here,  program  p  evolves  to  p'  after  accepting  an  a 
stimulus  but  q  does  not  progress  due  to  the  a  stimulus.  Hence  p«q 
evolves  to  p'#q  on  receipt  of  an  a  stimulus.  Those  labels  in  the  sort 
of  p  but  not  in  the  sort  of  q  are  said  to  be  external,  thus  a  is  an 
external  label.  The  external  stimulus,  an  a  in  this  case,  appears 
from  the  environment  and  not  from  the  other  program  q;  it  is  there- 
fore  external  to  the  composite  program  p#q. 

Clause  10  gives  meaning  to  external  stimuli  via  labels  lying  in 
the  sort  of  q  but  not  in  the  sort  of  p. 

Clause  11  states  that  if  p  accepts  an  a  stimulus  and  evolves  to 
p'  and  q  accepts  an  a  stimulus  and  evolves  to  q1  with  p1  and  q'  not 
being  *  then  p#q  will  accept  an  a  stimulus  and  evolves  to  program 
p'eq'.  Here  the  a  is  an  internal  label;  it  lies  in  the  intersection  of 
the  sorts  of  p  and  q.  The  two  programs  p  and  q  synchronise  on 
label  a  and  exchange  their  a  stimuli  allowing  both  to  evolve  into  the 
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new  programs  p'  and  q'.  These  two  programs  are  similarly  composed 
using  •  to  give  what  p«q  evolves  to.  The  clause  (p«q  g)  —  »  states 


that  if  p  on  receipt  of  an  a  stimulus  evolves  to  *  then  p*q  on  receipt 
of  a  stimulus  also  evolves  to  *. 


If  a  is  external  to  p#q  then  a  will  not  be  in  the  sort  of  q. 

Thus  if  p  on  receipt  of  a  cannot  produce  a  new  program  then  p*q 
cannot  produce  a  new  program  given  the  same  stimulus.  We  therefore 
get  *  as  a  result.  Of  course,  program  p  may  involve  the  nondeter- 
ministic  operator  so  p  may  give  a  new  program  as  well  on  receipt  of 
an  a.  Clause  9  deals  with  this  case. 

If  a  is  internal  to  p«q  then  a  lies  in  the  sort  of  both  p  and  q. 

If  p  produces  *  on  receipt  of  an  a  then  so  also  will  p«q  since  regard¬ 
less  of  whether  q  gives  a  new  program  or  *  on  receipt  of  an  a,  p 
will  give  *.  Of  course,  p  may  also  produce  a  new  program  p'  on 
receipt  of  a,  which  would  be  due  to  the  presence  of  our  nondeterminism 
construct.  In  this  case  either  clause  11  would  give  a  new  program  if 
q  produces  a  program  when  given  an  a  stimulus,  or  the  dual  of  this 
clause  would  give  an  *  as  the  result  if  q  gives  *  on  receipt  of  an  a. 


2  A  Derived  Operator 

Using  our  set  of  primitive  operators  over  sorts,  we  may  define 
other  operators  to  simplify  programs  which  are  constructed  in  some 
common  fashion.  These  derived  operators  may  also  be  used  to  help 
illustrate  how  certain  phenomena  which  are  met  in  a  concurrent  world 
are  represented  in  our  language. 
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As  an  example  of  this,  we  define  a  polyadic  composition 
operation  "[J  using  our  binary  concurrent  composition  operator  •  . 

~P|"  will  be  a  sorted  operator  of  sort  L,^  X  X  X  L  —  L 
***  Ln»  for  n  arguments.  is  defined  by: 

TT (pj.pj.  =  pj*  p2»  pn 

Why  do  we  wish  such  an  operator? 

We  introduce  it  because  it  helps  to  indicate  the  multiway 
synchronisation  performed  when  we  compose  two  or  more  programs 
using  •  .  An  n-way  synchronisation  is  represented  by  repeatedly 
applying  the  binary  operator  •  to  n  or  more  programs,  but  we  can 
imagine  that  with  the  operator  this  n-way  synchronisation  is  per¬ 
formed  as  a  single  act.  In  fact,  we  can  directly  define  a  polyadic 
operator  which  does  just  this  (rather  than  "fT  which  is  a  derived 
operator)  and  which  has  •  as  its  2-argument  instance  but  for  technical 
reasons  our  binary  •  is  preferred  as  a  primitive  in  our  language. 

3.  3  Properties  of  the  Language 

Using  the  language  features  introduced  so  far,  we  can  construct 
programs  and  give  their  meaning  using  our  acceptance  semantics. 

Our  understanding  of  how  these  language  features  were  derived,  i.e., 
in  terms  of  stimuli,  leads  us  to  require  that  these  language  constructs 
possess  certain  features;  that  they  satisfy  certain  laws.  First  let  us 
introduce  the  notion  of  normal  form  programs. 
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Definition:  A  program  is  in  CNF,  (Conjunctive  Normal  Form),  if 

either  it  is  constructed  from  CNF  subprograms  using 
only  the  choice  operator  or  it  is  constructed  from  a 
subprogram  and  a  label  using  the  guarding  operator 

Examples:  (ap  ©pq)  +  yr  is  not  in  CNF 

since  ap  ©  (3q  is  not  in  CNF 


(ap  +  pq)  +  yr  is  in  CNF 
£(ap  ©(3q)  +  yr  is  in  CNF 

Definition:  A  program  is  in  DNF,  (Disjunctive  Normal  Form),  if  it 

is  constructed  from  subprograms  using  the  nondeter 
mination  operator. 

Examples:  (ap  ©pq)  4-  yr  is  not  in  DNF 

even  though  ap  ©  pq  is  in  DNF 


(ap  +  pq)  ©  y r  is  in  DNF 
£(ap  +  pq)  ©  yr  is  in  DNF 

Definition:  A  program  is  in  normal  form  if  it  is  in  CNF  or  DNF  and 

its  component  subprograms  are  in  normal  form. 

Note  that  the  program  (ap  ©pq)  +  yr  is  neither  in  CNF  or 
DNF.  It  is  thus  not  in  formal  form. 
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A  CNF  program  can  be  written  as  Y  ajPi  where 

i 

Y  a.p.  =  “iPj,  +  ’**  +  arnPQ  ant^  a  ^NF  program  can  be  written  as 
i=  1,  n 


c*jP^  =  aiPi  ®  **’  ®  an^n*  ^he  emPfcy  s  11111  =  A;  so  A  is  the 


i=  1,  n 


identity  for  +  . 


3.4  Program  Axioms 

Here  we  list  certain  laws  which  our  language  constructs  satisfy 

and  explain  why  we  require  them.  Thinking  of  our  language  as  a 

word  algebra  W  where  Z,  =  A  U  {  +  »  ©,  A,  •  }  we  may  take  these 
^  1  1 
laws  to  be  axioms. 

[  +  ^]  xfx  =  x  idempotency 

[+^]  x  +  y  =  x  +  y  commutativity 

[++]  x  +  (y  +  z)  =  (x+y)  +  z  associativity 

[+A]  x  +  A  =  x  identity 

In  the  above  laws  x,  y,  z  are  all  CNF  programs;  they  do  not  have 
operation  ©  outermost. 

We  have  the  idempotency  of  our  choice  operation  +  because  to 
any  program  interacting  with  x  +  x  then  the  two  copies  behave  just  as 
if  one  were  present;  the  commutativity  of  +  since  the  order  of  possible 
choices  should  be  immaterial;  the  associativity  of  +  since  we  wish  to 
allow  for  more  than  two  choices  to  be  made  at  certain  times;  the 
identity  since  nothing  may  interact  with  A. 
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[©^]  x  ©  x  =  x  idempotent 

[©^]  x  ©  y  =  y  ©  x  commutative 

[©  ©]  x©(y©z)  =  (x©y)©x  associative 

[+©]  x  +  (y  ©  z)  =  (x+y)  ©  (x+z)  +  distributes  over  © 

[a©+]  ax  +  ary  =  ax  ©ay 
[©©+]  x©y©(x+y)  =  x©y 

Note  that  A  is  not  an  identity  for  ©,  but  just  for  +  . 

We  have  the  idempotency  of  ©  since  no  matter  which  sub¬ 
program  the  program  x©x  nondeterministically  gives  us,  then  they 
are  the  same,  i.e.,  x;  commutivity  since  our  nondeterminism 
operator  should  treat  its  operands  in  an  unordered  fashion;  associativity 
since  we  with  to  program  agents  having  more  than  two  possible 
behaviours . 

We  allow  distributivity  x  +  (y  ©z)  =  (x+y)  ©(x+z)  since  the  left- 
hand  side  says  that  it  will  accept  the  stimuli  due  to  subprogram  x  but 
only  accept  the  stimuli  due  to  one  or  other  of  y  or  z  and  we  do  not 
know  which.  The  right  hand  side  says  that  we  can  accept  the  stimuli 
due  to  x  and  y  or  accept  the  stimuli  due  to  x  and  z  but  not  both.  That 
is,  both  sides  of  the  axiom  state  that  the  interactions  contributed  by  x 
are  always  present  together  with  either  those  of  y  or  z  and  we  do  not 
know  which. 

We  allow  that  ax  +  ay  =  ax©ay  since  if  an  a  stimulus  is  given 
to  either  side  of  the  axiom  either  x  or  y  is  the  resulting  program  and 
the  a  stimulus  has  no  control  over  which  one  results. 
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It  may  be  supposed  that  we  would  also  have  the  axiom 
ax  ©ay  =  a(x©y),  that  is,  guarding  distributing  over  ©.  But  the 
left-hand  side  nondeterministically  gives  us  programs  x  or  y  on 
receipt  of  an  z  stimulus,  i.e.,  after  an  a  communication,  whilst  the 
right-hand  side  deterministically  gives  us  the  nondeterministic 
program  x©y.  In  terms  of  our  acceptance  semantics  these  programs 
are  not  equivalent  since  x  is  not  equivalent  to  x©y,  and  y  is  not 
equivalent  to  x©y.  The  problem  here  is  due  to  the  different  "levels" 
the  nondeterminism  appears  at.  Intuitively  we  would  like  the  axiom 
ax©ay  =  a(x©y)  but  to  ensure  that  ax©ay~a(x©y)  would  require  a 
change  in  our  acceptance  semantics.  We  will  not  do  this. 

We  have  axiom  [©©  +  ]  since  x©y©(x+y)  reacts  in  the  same 
way  as  x©y  to  a  given  stimulus.  If  some  stimulus  a  gets  nondeter¬ 

ministically  sent  to  x+y  or  x  or  y  then  the  program  (or  *)  which 
results  will  be  the  same  as  if  it  were  nondeterministically  sent  to 
just  x  or  y.  The  possible  outcomes  of  x+y  are  a  subset  of  those 
for  x©y.  The  only  way  they  differ  is  that  x©y  may  produce  an  * 
where  x+y  would  not. 

We  have  previously  mentioned  that  we  may  introduce  Y  so 

that  Yj  =  “iPi  +  a2^2‘  Similarly,  Y  ar^  =  a  ^p  1  ©  a2P£.  Now 

i=  i,  2  i=  1,  2  ^  ^ 

£<=  A)  is  the  identity  for  +  and  similarly,  §  &  A)  is  the  identity  for 

©  and  +.  Y  an(i  §  are  the  "empty"  choice  and  nondeterminism 

operators  respectively  and  are  meta-symbols  which  do  not  appear 

explicitly  in  our  language  but  may  be  used  for  convenience.  They  are 

derived  operators  which  sugar  our  language. 
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In  the  above  we  allow  +  to  distribute  over  ©  but  not  vice-versa. 
The  reason  for  this  is  that  if  we  have  both: 

the  existing  law  (I)  x  +  (y  ©  z)  =  (x  +  y)  ©  (x  +  z) 

and  its  dual  (II)  x  ©  (y  +  z)  =  (x  ©  y)  +  (x  ©  z) 

then  we  produce  an  inconsistency  in  our  set  of  axioms.  An  example 
illustrates  this: 

(ap1©pp2)  +  yq 

=  (ap^yq)  ©  (P p2  +  yq)  by  (I) 

=  (ap^  (Pp2  +  yq))  +  (yq©  (pi2  +  yq))  by  (II) 

=  (ap1©(3p2)  +  (ap^y^)  +  (yq©Pp2)  +  (yq©yq)  by  (II) 

=  (ap1©Pp2)  +  (yq©(arp1+pp2))  +  yq  by  +  assoc.,  (II)  and  ©  indempotency 

-  j^(ap1©PP2)  +yqjh  j^yq©(ap1  +Pp2)J  by  +•  assoc,  and  comm. 

Now  this  is  our  first  line  composed  with  [yq  ©  (ap Pp2)  ]  using  +. 

For  this  to  hold  either  [yq  ©  (<zp^  +  j3p2)]  =  A,  which  it  patently  is  not, 

and  the  identity  law  is  used;  or  yq  ©  (aPj-l-  (3p2)  is  either  equal  to. 

or  is  a  subDNF  sum  of  (up  ^©  (3p2)  +  yq,  which  is  also 

false  since  the  left-hand  side  has  that  a  y  communication  may 
possibly  take  place  whilst  the  left-hand  side  says  that  it  always  can 
take  place  when  provided  with  a  y  stimulus,  and  idempotency  would 
be  used.  Since  we  wish  to  allow  law  (I)  then  law  (II)  must  produce 
this  inconsistency  and  so  (II)  must  be  false.  Note  that  p  is  a  subDNF 
sum  of  q  if  every  DNF  clause  in  p  is  also  a  DNF  clause  in  q. 
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We  allow  guarding  to  distribute  over  ©  but  not  over  +  .  The 
reason  for  this  is  that  ©  and  +  are  clearly  distinct  as  explained  in 
Chapter  1  and  so  x©y^x+y  provided  x  #  y.  Now  a(x©y)  ±  a(x+y) 
since  following  an  a  communication  the  left-hand  side  can  perform 
the  communications  of  either  the  x  or  y  subprograms  but  we  non- 
deterministically  do  not  know  which,  whilst  on  the  right-hand  side 
any  of  the  x  and  y  communications  may  take  place. 

As  a(x©y)  =  ax  ©ay  =  ax  +  ay  using  our  axioms  then  ax  +  ay  =£ 

a(x  +  y). 

Using  our  acceptance  semantics  we  can  easily  show  that 
x©(y->-z)  and  (x©y)  +  (x©z)  are  not  equivalent  and  that  ax  -f  ay  and 
a(x-*-y)  are  also  not  equivalent. 

Now  we  introduce  the  axioms  involving  our  concurrency 
operator . 
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Note  that  we  normally  do  not  need  to  subscript  •  as  the  sorts 
of  its  components  will  be  understood.  The  [•+]  law  gives  2](=  A)  if 
there  exists  no  p.,  p.  such  that  jju  or  pj  ^  L  or  p^  =  p A  will 
represent  deadlock  between  the  two  components  p  and  q. 

We  have  the  idempotency  law  for  our  concurrency  operator  • 
since  identical  programs  will  give  stimulus  to  each  other  using  all 
their  labels  leaving  us  with  an  identical  program.  This  i3  the  case 
provided  that  the  component  programs  are  in  CNF,  i.e.,  there  is  no 
©  outermost.  We  do  not  have  idempotency  with  DNF  programs; 
consider  (x©y)  •  (x©y)  under  axiom  [•  ©]. 

We  have  commutativity  and  associativity  for  •  since  it  should 
be  irrelevant  the  order  in  which  component  programs  are  composed. 


For  p  and  q  in  CNF  then  p«  q  should  also  be  in  CNF  constructed 

out  of  guards  whose  labels  are  external  to  p«  q  and  guards  whose  labels 

are  internal  to  p«  q.  The  X  p.  (p.  •  q)  clause  contributes  to  p«q 

p.7M  1  1  LM 

those  guards  who  appear  in  p  but  whose  labels  do  not  appear  in  the 

sort  of  q.  Since  only  the  p  participates  in  this  then  the  resulting 

program  composed  with  the  label  is  p.  •  q  .  Similarly  for  labels 

1  LM 

in  guards  of  q  which  are  not  in  the  sort  of  p.  Finally,  the  clause 

2j  Hqtei  •  3;)  contributes  to  p#q  a  guard  whose  label  is  the  same 

p. /p.  LM  ^ 

as  guards  appearing  in  p  and  in  q  and  as  both  p  and  q  participate  in 
this  synchronisation  the  program  p.  «qj  results  which  is  composed  by 
the  guarding  operation  with  label  p.  Hence  p  and  q  have  synchronised, 
exchanged  p.  stimuli,  and  have  evolved  to  programs  p^  and  q^  which  are 
recursively  composed  by  the  •  operation. 
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If  (1)  we  do  not  have  any  labels  p..  in  guards  of  program  p  such 

that  p.  f£M,  the  sort  of  q;  and  if  (2)  we  do  not  have  any  labels  p.  in 

J 

guards  of  q  such  that  p. /^L,  the  sort  of  p;  and  if  (3)  there  are  no 

J 

guards  in  p  and  in  q  having  the  same  label  then  p  •  q  =  V  ,  the 

LM 

"empty  sum"  which  is  the  nullary  operator  A.  A  has  sort  L  U  M 
and  we  can  note  that  •  is  the  only  operation  so  far  which  changes 
sorts;  by  unioning  the  sorts  of  the  components.  The  operations 
defined  so  far  are  sorted  as  follows: 

a  :  L  -*  L  where  a  €  L, 

+  :  L  XL  — *■  L 

©  :  L  X  L  —  L 

•  :  L  X  M  —  L  U  M 

Finally,  the  [•  ©  ]  law  is  present  since  p  running  concurrently 
with  program  q  ©  r  means  that  p  will  actually  run  concurrently  with 
either  subprogram  q  or  subprogram  r  and  we 
do  not  know  which.  (p  •  q)  ©  (p»  r)  is  the  program  where  either  p 
runs  with  q  or  p  runs  with  r  and  the  decision  is  made  nondetermin- 
istically . 

We  have  justified  the  laws,  or  axioms,  informally.  In  a  later 
chapter  we  prove  that  the  laws  actually  hold  with  respect  to  our 
acceptance  semantics.  Thus,  for  the  laws  above,  the  left-hand  side 
has  the  same  meaning  as  the  right-hand  side  and  so  we  can  quite 
happily  use  the  laws  to  replace  programs  by  semantically  equivalent 
programs  in  any  program  context  without  changing  the  complete  program 
meaning.  This  is  the  case  since  the  laws  satisfy  our  notion  of  equiva¬ 
lence  which  also  happens  to  be  a  congruence. 
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In  terms  of  the  acceptance  semantics  and  our  notion  of  equi¬ 
valence,  we  can  prove  that  the  following  do  not  hold: 

x©( y  +  z)  =  (x©y)  +  (x©z)  and  a(x-hy)  =  ax  +  ay  . 

We  have  previously  informally  justified  them  as  not  being  axioms  in 
our  language. 

Two  further  operations  require  to  be  introduced  into  our 
language  but  we  first  introduce  recursion  and  recursive  definitions. 
These  allow  us  to  produce  some  interesting  example  programs  using 
our  language. 
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4. 


IDENTIFIERS,  DECLARATIONS  AND  EXAMPLES 


4.  1  Identifiers  and  Declarations 

To  allow  us  to  give  practical  examples,  we  extend  the  language 
W_  by  giving  it  the  ability  to  handle  data  structures.  This  does  not 

n 

change  any  of  the  preceding  language  philosophy  but  allows  us  to 
program,  that  is, to  represent  the  behaviour  of  computing  agents  such  as 
registers,  memories,  stacks  and  queues. 

Let  us  introduce  a  set  of  identifiers  I  written  using  capitals, 

with  which  to  name  programs,  and  a  constructor  =  to  bind  programs 

to  identifiers.  We  therefore  have  our  new  language,  the  word  algebra 

W  where 
*2 


22=Aulu{+,  ©,A,«,  =  }. 


The  =  operation  is  of  type  I  X  Prog  — *•  Dec.  An  identifier  in 
peProg  is  either  the  identifier  currently  being  bound  to  p  or  else  has 
previously  been  bound  in  p.  The  identifier  after  binding  then  names 
a  program  and  thus  has  a  sort,  the  same  as  the  program.  There  are 
no  restrictions  on  the  sort  of  programs  which  we  can  bind  with 
identifiers. 


For  ID  el  and  peProg  we  give  meaning  to  a  declaration  by 
extending  our  acceptance  semantics: 

21. 


(p,  a)  —  p1  a  (ID  =  P) 
(ID,  a)  —  p' 


This  construct  permits  us  to  define  recursive  programs,  i.e.,  P  =  aP. 
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Now  we  assume  that  after  this  declaration.  P  identifies  and  has 
the  same  behaviour  as  a>P.  The  declaration  itself  is  not  a  program 
and  we  must  compose  it  with  a  program  to  form  a  new  program.  We 
introduce  a  new  operator  where  giving  the  alphabet  2^  =  2^  y  { wher e  1  . 

Composing  a  declaration  with  a  program  uses  the  where  operation, 
of  type: 

(Prog ^  X  Dec)  —  Prog^ 

Note  that  an  identifier  may  not  appear  as  a  member  of  Prog^  unless 
it  has  previously  been  declared  by  some  member  of  Dec.  Declarations 
and  the  use  of  where  are  really  not  necessary  to  our  language  and 
"sugar"  it  to  make  programs  read  more  easily. 

We  can  have  the  following  programs: 

arP  +  6  A  where  P  =  aP  +  (3  A 

We  assume  here  that  the  operators  in  alphabet  2^  bind  more 
strongly  than  where,  which  in  turn  binds  more  strongly  than  =  . 

We  may  also  nest  declarations  to  get: 

P«  Q  where  P  =  «P  +  (3 A  where  Q  =  orA 

A  derived  operation  and  of  type  Dec  X  Dec  —  Dec  can  be  defined  as: 

def 

d^  and  d^  =  d^  where  d^  . 
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The  acceptance  semantics  for  the  extended  language  W  is  as  for  W_ 

S3  "2 

with  the  addition  of  clause  22. 

Let  {m/n}  be  the  substitution  operation  in  our  semantics  (not 
in  our  syntax)  such  that  n  gets  replaced  by  m,  then 


22. 


(p{m/n} ,  a)  —  p1 
(p  where  n  =  m,  a)  —  p1 


4.  2  Data  Structures 

The  ability  to  identify  a  program  with  a  name  allows  us  not  only 
to  write  recursive  programs  but  to  introduce  data  structures.  To 
effect  the  latter  we  allow  identifiers  to  be  not  just  names  but  names 
parameterised  on  some  data  structure. 

We  are  not  able  to  represent  the  communication  of  values  in 
our  language;  we  only  can  communicate,  or  synchronise,  stimuli  and 
this  interaction  indicates  no  more  than  that  a  synchronisation  between 
two  (or  more)  programs  has  taken  place.  For  this  reason  our  data 
structures  will  contain  only  boolean  values  though  other  types  of  values 
may  be  simulated. 

Consider  a  boolean  register.  What  behaviour  does  it  have? 

Well,  if  it  is  nonempty  it  can  output  its  contents  which  will 
then  remain  unchanged  or  it  can  output  a  new  boolean  value  and  replace 
its  contents  by  this  new  value. 

Such  a  behaviour  is  given  by  a  program  identified  by  REG  of 
sort  {elf  SQ,  <r1,  <r0}. 
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REG  =  S  REG(l)  +  £Q  REG(O)  where 

REG(O)  =  cr0REG(O)  +  ^REGJl)  +  £QREG(0) 

and  REG(l)  =  o^REGfl)  +  S^EGil)  +  £QREG(0) 

This  declaration  can  of  coarse  be  combined  with  another  program 
using  the  where  operation. 

A  program  REG  is  the  initially  empty  register  which  can 
therefor  only  input  a  1,  represented  by  a  stimulus  at  the  ^  port, 

or  a  0  represented  by  a  stimulus  at  the  £q  port.  Since  we  cannot 

communicate  the  values  1  and  0  we  have  two  separate  ports  which 
allow  1  or  0  stimuli  to  be  effected,  and  so  we  have  two  input  lines 
connecting  this  register  program  with  other  programs.  We  also  have 
two  output  ports  cr^  and  <rQ  ,  since  once  a  value  has  been  loaded  into 
the  register  our  program  must  also  have  the  ability  to  output  the 
contents  as  well  as  load  new  contents.  The  identifiers  REG(O)  and 
REG(l)  identify  register  programs  whose  contents  are  0  and  1 
respectively,  the  former  being  able  to  synchronise  through  the  cTq 
port  and  the  latter  through  the  cr ^  port.  This  represents  a  0  and  1 
being  output  respectively. 

In  the  above  we  have  two  input  and  two  output  ports  represent¬ 
ing  the  input  and  output  of  I's  and  0’s.  Conceptually  we  have  only  two 
ports  £  and  cr  with  the  index  indicating  the  value  to  be  communicated. 
When  "simulating"  value  communications  like  this,  we  do  not  distinguish 
between  a  sender  and  receiver.  In  fact,  since  more  than  two 
programs  may  synchronise  on  a  particular  label,  this  multiway 
synchronisation  permits  us  to  represent  the  broadcasting  of  a  value  to 
a  number  of  different  programs. 
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4.  3  Other  Examples 


Memories . 

We  can  construct  memories  out  of  registers.  To  do  this  we 

must  give  each  register  a  separate  identity.  Let  REG1  be  of  sort 

{s1 ,  E1 ,  <r^,  o"q  }  and  so  let  it  be  defined  as  for  REG  but  with  label 

changes.  Then  define  MEM  a  memory  of  sort  U  {e1, S1,  o"q,  <r^  } 

i=i,n 

MEM  =  REG1  •  REG2  •  *  *  •  •  REG11"1  «  REGn  where  *  *  * 

An  operation  to  produce  instances  of  a  generic  program,  will  be 
introduced  later.  As  the  REG's  in  MEM  have  disjoint  sorts  they 
are  not  connected  by  the  concurrency  operation. 

Stacks 


We  saw  that  a  register  was  defined  using  an  identifier  param.’ 
eterised  on  a  tuple  (or  string)  or  booleans.  A  stack  of  sort 
{  Sq»  6  <r0,<ri}  may  be  defined  by: 

STACK(S)  =  6g  STACK(OnS)  +  STACK(  1  ^ S) 
where  STACK(O^n)  =  <rQ  STACK(n)  +  SQ  STACK(O^O^n) 

+  6  STACK(1  ^0^  n) 

and  STACK(l^n)  =  <r^  STACK(n)  +  5  STACK(lrt0An) 

+  6  STACK(1  ^  1  ^n) 
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Here  £  is  the  empty  string.  Note  that  we  do  capture  the  behaviour  of 
a  stack  here  as  l's  and  0's  are  "put"'  on  and  "taken"  off  the  top  of  the 
stack.  A  queue  may  be  defined  similarly  but  we  "put"  on  a  different 
end  of  the  string  from  where  we  "take"  off. 

Counters 

A  counter  COUNT(i),  parameterised  on  integer  i,  will  have  sort 
{up,  down,  zero}.  As  we  do  not  (yet!)  have  a  conditional  construct 
in  our  language  we  define  COUNT (i)  by  use  of  two  clauses 

COUNT(O)  =  zero  COUNT(O)  +  up  COUNT(l) 

and 


COUNT(n+l)  =  down  COUNT(n)  +  up  COUNT(n+2) 


This  counter  keeps  track  of  the  number  of  ups  that  exceed  the  number 
of  downs. 


An  alternative  counter  may  count  negatives  as  well.  Let  us 
call  this  program  COUNTER(i)  where  i  is  the  number  of  ups  minus 
the  number  of  downs.  It  will  have  sort  {up,  down}. 


COUNTER(n)  =  up  COUNTER(n+l)  +  down  COUNTER(n-l) 


It  is  the  environment  which  generates  the  up  and  down  stimuli  and  the 
COUNTER  program  will  cooperate  with  whatever  is  in  the  environment 
to  synchronise  on  a  stimulus  and  evolve  to  a  new  program.  We  may 
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wish  the  environment  to  interrogate  the  counter  and  discover  its 
contents.  As  we  have  no  value-passing  mechanism  in  our  language 
(unlike  CSP,  for  instance)  we  have  problems  in  getting  the  value  of 
the  contents  "out.  "  If  we  allow  our  counter  to  be  bounded  then  we 
can  have  an  out  label  for  each  integer.  That  is,  a  separate  output 
line  corresponds  to  each  integer  and  if  a  synchronisation  is  made  on 
one  of  these  lines  by  some  other  program  we  may  assume  that  this 
program  now  knows  the  contents  of  the  counter. 

Suppose  our  counter  only  counts  positively,  as  COUNT(i),  and 

has  a  maximum  of  m.  Then  COUNTM(i)  will  have  sort  {contents,  up, 

down,  outn,  out  4  ,••• ,  out  }  and  is  defined  by: 
u  1  m J 

COUNTM(O)  =  contents  outQ  COUNTM(O)  +  up  COUNTM(l) 


and 

COUNTM(m)  =  contents  outm  COUNTM(m)  +  down  COUNTM(m-l) 

and 

COUNTM(m-l)  =  contents  out^  ^  COUNTM(m-2) 

+  up  COUNTM(m) 

+  down  COUNTM(m-2) 

The  contents  guard  is  really  redundant  since  the  interrogating 
program  which  we  would  compose  with  COUNTM  using  •  must  be 

able  to  synchronise  on  all  of  outQ,  •  •  • ,  outm  so  that  it  will  know  the 
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contents.  Leaving  the  contents  guard  out  has  the  same  effect.  We 
do  not  need  a  special  label  for  zero  contents;  outg  is  suitable. 

The  language  may  be  extended  to  allow  values  to  be  communi¬ 
cated  whenever  a  synchronisation  takes  place.  This  opens  up  a  much 
larger  class  of  examples  which  can  be  easily  programmed.  As  we 
are  interested  in  the  synchronisation  and  nondeterministic  aspects  of 
-  our  language*,  we  omit  the  value-passing  features  for  the  meantime. 

4. 4  The  Dining  Philosophers  Problem 

In  this  example  we  have  two  types  of  computing  agents, 
philosophers  and  forks.  We  have  the  same  number  of  philosophers 
and  forks  laid  out  around  a  table  with  philosophers  and  forks  alternating. 
A  philosopher  is  allowed  to  access  only  the  forks  on  either  side.  The 
"problem"  which  this  example  illustrates  is  described  as  follows:  to 
enable  a  philosopher  to  eat  he  must  be  in  possession  of  both  his 
neighbouring  forks  and  the  forks  can  be  obtained  in  either  order. 
Unfortunately  this  may  cause  a  deadlock  situation  in  which  all  philoso¬ 
phers  have  "picked  up"  their  left-hand  (or  all  their  right-hand)  forks. 
This  means  that  all  forks  are  accessed  and  no  philosopher  is  able  to 
obtain  the  two  forks  he  needs  to  enable  himself  to  eat;  all  philosophers 
starve.  This  is  a  problem  involving  shared  resources,  each  fork  being 
shared  between  two  philosophers. 

We  shall  program  a  "solution"  to  this  "problem"  in  our  language. 
The  solution  provides  for  philosophers  to  access  the  forks  in  such  a 
way  that  the  system  does  not  deadlock.  Our  solution  is  not  fair  how¬ 
ever;  some  philosophers  may  be  prevented  from  accessing  both  forks 
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forever  and  so  starve.  Fairness  questions  are  outside  the  remit  of 
our  language  and  we  believe  that  fairness  is  an  implementation  issue 
and  so  does  not  concern  us.  For  instance,  to  make  our  dining 
philosopher's  program  fair,  a  centralised  scheduler  may  be  introduced 
to  control  the  order  in  which  philosophers  access  forks.  Many 
algorithms  can  be  adopted  by  this  scheduler  to  ensure  fairness. 

A  centralised  scheduler,  or  controller,  may  be  used  to  ensure 
the  absence  of  a  deadlock  without  even  considering  fairness.  In  [4  ] 
Hoare  uses  a  "room"  as  a  centralised  controller.  This  room  controls 
the  number  of  philosophers  active,  or  present,  at  any  given  instant. 

As  long  as  the  number  of  active  philosophers  is  one  less  than  the 
number  of  forks  then  the  system  will  not  deadlock. 

We  wish  a  distributed  solution,  that  is,  the  behaviour  of  the 
philosophers  and  forks  themselves  should  be  such  that  when  they 
interact  the  system  as  a  whole  does  not  deadlock. 

Let  us  program  this  for  a  system  of  three  philosophers  and 
three  forks.  It  is  easy  to  see  how  the  system  can  be  extended  to 
involve  a  philosophers  and  n  forks. 


The  agents  will  be  interlinked  as  follows. 
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The  philosophers  wish  to  pick  up  the  forks  on  either  side  of 
them  in  either  order,  eat,  then  put  the  forks  down  in  either  order, 
then  think  and  so  on.  Synchronisation  via  the  g i  and  gr  ports 
represents  interaction  between  a  philosopher  and  the  left  or  right 
fork  to  pick  the  fork  up  while  e  and  t  ports  are  used  by  the  philos¬ 
opher  programs  to  represent  their  desire  to  eak  and  think.  The  pr 
and  pi  ports  are  used  to  synchronise  the  action  of  placing  down  the 
left  or  right  forks.  This  again,  is  an  interaction  between  a  fork  and 
a  philosopher. 

The  behaviour  of  the  ith  philosopher  can  be  represented  by  the 
program  of  sort  {pi.,  gi^,  pr^,  gr^,  t^,  }  defined  by 


P. 

1 


=  g i.  gr.  P!  +  gr.  gi . 
&  1  &  1  1  b  1  t,  x 


P! 

i 


where 


P.  =  e.(pi.  pr.  t.  P.  +  pr.  pi.  t.  P. ) 

l  l  i*ii  l  *1*11  l 


The  behavious  of  the  forks  is  given  by 


=  gr.  pr.  F.  +  gi  (I  ©  1)  pi  (i  ©  1)  F. 

Here  ©  is  subtraction  modulo  n,  where  n  is  the  number  of  forks  (and 
philosophers)  in  the  system. 

We  see  that  the  philosopher  asks  for  both  forks  in  either  order 
and  then  eats.  The  forks  are  placed  down  in  either  order,  he  thinks 
and  so  on.  A  fork  can  be  picked  up  by  either  of  the  philosophers  on 
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each  side  of  it.  When  it  is  picked  up  this  prevents  the  other  philos¬ 
opher  gaining  the  fork  until  it  has  been  placed  down  again. 

For  n  =  3  we  have  a  system  pictured  as  above  with 

SYS  =  •  P2  *  P3  *  F1  *  FZ  *  F3 

Here  is  with  the  guards  all  relabelled  by  changing  the  index. 
This  is  performed  using  the  [a/(3  ]  operator  and  produces  instances 
of  philosopher  programs  from  the  generic  philosopher  P^.  Forks 
are  treated  similarly. 

We  may  apply  axiom  (•  +)  a  number  of  times  to  SYS  and  we 
discover  that  one  of  the  subprograms  produced  is 

1  gi2  gi3  A 

hence  the  system  may  deadlock.  Other  summands  also  result  in  the 
appearance  of  A  whilst  others  do  not.  The  summand  above  indicates 
that  all  of  the  forks  have  been  picked  up  by  the  philosopher's  left 
hands  so  preventing  any  philosopher  gaining  both  forks  and  so  prevent¬ 
ing  any  philosopher  from  eating. 

To  prevent  this  we  change  the  philosopher's  behaviour  so  that 

before  starting  to  pick  up  and  place  down  the  forks  the  philosopher 

reserves  both  forks  and  so  prevents  the  philosophers  which  share  his 

forks  from  gaining  access  to  them.  We  introduce  r^  guards  on 

philosopher  and  his  neighbouring  forks.  To  synchronise  on  this 

guard  (effected  by  the  •  operator)  the  philosopher  and  both  his  forks 

must  cooperate  in  a  three-way  synchronisation  to  reserve  both  forks. 
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We  redefine  our  philosopher  and  fork  programs  to  include  this 
reservation  guard.  As  the  eating  and  thinking  guards  do  not  influence 
whether  the  system  deadlocks  or  not,  we  will  omit  them.  We  now 
have  program  P  of  sort  {r^  gi ^  gr^  pi  pr.} 

P.  =  r.  (gi.  gr.  P!  +  gr.  gi .  Pi) 

1  x  &  1  °  1  x 

where 

I 

P.  =  pi .  pr.  P.  +  pr.  pi.  P. 

i  ~  i  ~  i  i  “  i  ~  i  i 

and  program  Fj  of  sort  {rj,  r.  ©  1.  gr;,  pr.,  gij  Q  j.pt-Q  J 
Fi  =  ri  Brl  pri  Fi  +  ri91 

Our  constructed  system  SYS  =  P^«  P^  •  ^3*  ^1*  ^3  *s  a§aan  kuilt 

out  of  instances  of  the  above  generic  programs.  To  illustrate  where 
synchronisation  may  take  place  between  the  components  we  picture 
SYS  as  follows 


P*3 
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We  may  now  exhaustively  use  axiom  [•  +  ]  to  expand  SYS. 

We  can  see  that  we  do  not  obtain  subprograms  which  terminate 
(with  A)  and  so  our  system  does  not  deadlock. 

A  problem  here  is  that  the  expansion  via  [•  +]  is  quite 
tiresome  and  soon  produces  a  program  of  unmanageable  complexity. 

We  are  soon  unsure  whether  we  have  missed  out  some  subprograms 
or  not.  For  three  philosophers  and  three  forks,  we  can  just  about 
manage.  We  can  progress  far  enough  to  see  that  we  do  not  get 
subprograms  similar  to  the  gi  ^  gi^  gf  3  A  which  we  get  in  the 
original  system,  but  a  much  larger  expansion  is  needed  to  convince 
ourselves  that  A  does  not  arise  at  all. 

If  our  system  contained  a  larger  number  of  philosophers  and 
forks  than  three  then  an  expansion  using  axiom  [•  +]  to  check  for  the 
presence  of  A  would  be  impossible.  We  would  eve  wish  to  show 
such  a  system  free  from  deadlock  for  n  philosophers  and  forks,  for 
all  n. 

A  methodology  for  this  will  be  introduced  in  a  later  paper. 

It  utilises  the  rigorous  structure  of  interconnection  among  philosophers 
and  forks  and  allows  us  to  prove  the  absence  of  A  by  induction  on  n, 
the  number  of  components  in  the  system. 
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DEADLOCK  AND  TERMINATION 

We  introduce  the  miliary  operator  A  as  the  identity  of  operator  +, 
and  so  also  the  empty  sum  .  It  has  previously  been  mentioned  that 
we  are  taking  A  to  represent,  in  our  language,  the  deadlock  phenomena. 
Deadlock  is  a  system  property  that  exists  when  all  the  components  of 
the  system  are  mutually  waiting  for  each  other  to  perform  some  action 
which  must  take  place  before  they  can  proceed.  A  classic  example 
of  this  appears  in  the  dining  philosophers  problem  where  a  philosopher 
must  access  two  resources,  called  forks,  which  he  shares  with 
different  philosophers  before  he  can  proceed  to  eating.  Deadlock 
arises  when  we  have  shared  resources;  that  is,  we  have  competition 
among  agents  which  with  to  interact  with  a  resource  agent.  Thus  A 
may  arise  due  to  the  definition  of  the  •  operator. 

Suppose  we  have  the  programs  P  and  Q  with  sorts  {a,  (3,  7}  and 
{a,  (3  }  respectively,  which  are  defined  by 

P  :  \  a  B  Pj  +  y  P2 

Q  =  (3  a  Q| 

and  we  leave  subprograms  P,.P2  and  Q1  unspecified  for  the  present. 

By  axiom  [»  +  ]  we  have  that 

P  •  Q  =  y  A  +  y(P2  •  ^ 

The  a  and  (3  labels  are  internal  while  the  y  label  is  external 
to  P  •  Q.  As  P  wishes  to  perform  a  y  symchronisation  with  the 
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environment  and  as  y  is  external  then  P  can  evolve  to  program 
a  \ 3  Pj  without  any  cooperation  from  Q.  Now  as  a  and  (3  are  both 
internal  labels  program  a  (3  must  receive  an  a  stimulus  from  Q 
for  a  synchronisation  to  take  place.  But  program  Q  wishes  a  |3 
stimulus  before  a  synchronisation  can  take  place.  As  nothing  else 
can  happen  a(3 P^  and  Q  become  deadlocked  so  nfJP^  •  Q  =  A. 

P  may  of  course,  on  a  receipt  of  a  y  stimulus  from  the 
environment,  proceed  to  program  P^.  Suppose  we  define  P^  as 

P^  =  (3  or  P  then  by  axiom  [«  +  ]  we  have  that 

P^  •  Q  =  (3  a(P  •  Qj) 

So  after  an  external  y  we  have  that  synchronisation  on  the  |3  followed 
by  a  labels  takes  place  and  the  original  programs  P  and  Q  have 
evolved  to  P  and  respectively. 

We  now  have  that  P  •  Q  gives  program 

y  A  +  y(3ar(P«  Q^)  using  axiom  [  •  +  ]  repeatedly. 

Following  one  of  the  y  guards  we  get  P  and  Q  (actually  P  has  evolved 
to  a  p  P^)  becoming  deadlocked  whilst  following  the  other  y  guard 
deadlock  does  not  result  and  (3  and  a  synchronisations  take  place. 

Our  system  composed  of  P  and  Q  is  pictured  as  follows: 
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a 


0 


In  one  case,  following  a  y,  we  have  that  "machine"  3  wishes  to 
interact  with  2  on  the  a  line  whilst  machine  2  washes  to  interact 
with  3  on  the  (3  line.  Neither  of  these  wishes  may  be  satisfied  and 
so  A  result's.  In  the  other  case  both  3  and  2  wash  to  first  of  all 
interact,  i.e.,  exchange  stimuli,  on  the  j3  line  followed  by  an  inter¬ 
action  on  the  a  line.  This  can  proceed  via  (3  and  a  synchronisations 
with  the  behaviour  of  machine  3  evolving  to  P  and  that  of  machine 
2  evolves  to  the  behaviour  represented  by  program  Q. 

In  this  example  no  separate  resource  program  is  competed 
for  but  programs  P  and  Q  can  be  thought  of  as  resources  as  viewed 
by  programs  Q  and  P  respectively.  Deadlock  results  when  both  wish 
to  access  each  other.  If  the  a  label  is  interpreted  as  "access  Q"  and 
(3  as  "access  P"  then  if  P  wishes  to  access  Q  while  Q  wishes  to 
access  P  then  neither  P  or  Q  is  available  to  the  other  as  a  resource 
and  we  get  deadlock.  If,  on  the  other  hand,  P  wishes  to  synchronise 
on  (3,  that  is,  it  is  offering  itself  as  a  resource  to  Q  and  Q  also 
wishes  to  synchronise  on  (3,  that  is,  access  P,  then  a  p  synchronisation 
is  successfully  performed  and  we  do  not  have  deadlock. 

The  above  indicates  how  A  gets  introduced  into  programs  as 
the  result  of  applying  the  «  operator.  We  may  also  use  A  as  the 
termination  operator;  the  "good"  termination  operator  where  deadlock 
can  be  considered  as  "bad"  termination.  A  program  R  which  wishes 
to  receive  an  a  stimulus  followed  by  a  (3  stimulus  and  then  successfully 
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terminate  in  defined  by 


R  =  a  (3  A 

When  we  compose  a  terminated  program  A  with  some  other,  say 
program  S,  then  A  will  cause  A  •  S  to  deadlock,  possibly  following 
a  number  of  external  guards,  unless  all  of  the  guards  in  S  are 
external  to  A  •  S. 

As  an  example  consider  A  of  sort  {a}  and  S  or  sort 
{a,  p,  y}  then  if  S  is  defined  by 

S  =  (3  y  S  +  yS 

we  have  A  «  S  giving  program 

(3\(A®S)  +  y(A  •  S)  of  sort  {a,  (3 ,  y  } 

which  never  produces  A  and  so,  by  repeated  use  of  axiom  [•  +  ] 
never  terminates.  Suppose  A  is  as  above  but  T  of  sort  {a,  |3,y}  is 
defined  by 


Tsa'yT  +  yT 

then  A  •  T  gives  program  v(A  •  T)  by  use  of  axiom  [  •  +  ].  Again, 

A  does  not  result  as  an  externally  labelled  y  guard  can  always  appear 

But  suppose  we  replace  T  by  program  U  which  is  identical 

•  t  _  .  ;  ■  ■' 

except  that  the  +  operator  is  replaced  by  ©  then 
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'  >  ,  U  =  a  V  u  ©  y  U 

and 

A  •  U  =  (A  •  (ayU))  ©  (A  •  \U)  by  axiom  [•  ©] 

=  A  ©  y(A  •  U)  by  axiom  [•  +]  twice 

So  program  A  •  U  nondeterministically  may  deadlock  or  else  react  to 
a  y  stimulus  (of  one  were  available  from  the  environment)  to  evolve 
back  into  program  A  •  U.  Thus  following  the  successful  receipt  of 
a  y  stimulus  again  we  have  that  deadlock  may  result  and  so  on. 

Two  terminated  programs  when  composed  obviously  give  us 
deadlock,  due  again  to  axiom  [•  +].  Note  that  the  sort  of  the 
"resulting"  A  is  the  union  of  that  of  the  two  components 

A  •  A  =  A 

This  is  a  theorem  derived  from  axiom  [•  +  ]. 

Our  language  manipulates  the  representation  of  deadlock  and 
termination  in  a  manner  corresponding  to  the  behaviour  of  real 
systems.  We  use  only  one  symbol  to  represent  both  deadlock  and 
termination  since  in  many  ways  they  model  the  same  phenomena. 

In  conclusion  we  have  termination  as  a  "wholesome"  feature  and 
a  property  of  one  computing  agent  and  so  of  one  program.  Deadlock 
appears  when  we  have  two  or  more  agents  present  and  is  thus  a 
property  of  two  or  more  interacting  programs. 
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6. 


HIDING 


6.  1  Why  We  Require  Hiding 

We  can  define  a  queue  by 

Q(£)  =  SQ  Q(0)  +  61  Q(  1 ) 

where 

Q(n~l)  =  o^CUn)  +  6QQ(0^n^l)  +  S^i^n^l) 

and 

Q(n^O)  =  tr0Q(n)  +  5Q  Q(O^n^O)  +  ^(Pii^O) 

We  assume  that  £  is  the  empty  string  and  £r'i  =  i'^£=i.  If  we 
define  another  queue  we  would  like  to  be  able  to  ajoin  them  and 
produce  a  new  queue. 

Let  us  introduce  a  relabelling  operator  into  our  language.  It  is 
not  strictly  necessary  but  it  allows  us  to  produce  instances  of  generic 
programs  without  the  need  to  rewrite  them 

The  post  fixed  operator  [a/p  \  when  applied  to  a  program  p 
changes  each  p  label  up  to  an  a  label.  All  other  labels  remain 
unchanged.  We  must  ensure  the  a  is  not  in  the  sort  of'p. 

The  following  two  axioms  are  sufficient  to  express  the  intended 
meaning  of  this  relabelling  operator: 

[/  +  ]  (  Z  aiPi)  [P/“]  =  (  E  l3(Pi[P/Q'l))  +  (  E 

i  a^=a  a^a 

where  p  is  not  a  member  of  the  sort  of  ^  ' 


52 


l 


It  is  clear  how  this  operator  behaves.  The  acceptance  semantics 
for  programs  constructed  using  this  relabelling  operator  is  not  given 
and  is  left  as  an  exercise  for  the  reader.  We  shall  not  prove  the 
consistency  of  these  two  axioms.  This,  together  with  the  definition  of 
other  axioms  relating  [/ ]  to  the  A,  and  -a  operators,  can  be  performed 
by  the  reader.  Note  that  [/]  can  change  the  sort  of  a  program.  If  p 
has  sort  L  then  p[p/ar]  has  sort  (L  y  {(3})  -  {or}.  Here  we  assume 
that  P  /L. 

As  an  example  consider  («p1  +  pp2)  [y/a],  This  gives 
YP^[y/a]  +  where  we  replace  all  occurrences  of  a  by  y. 

The  operator  [y/a]  is  recursively  applied  to  the  renewal  programs 
p^  and  p^so  replacing  all  occurrences  of  a  by  y  in  the  whole  program. 

Now  let  us  redefine  our  queue  to  give  it  a  maximum  size: 
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QN(O.fi)  =  60QW(1,0)  +  ^Qfftl.l) 

where 

QN(ifS'M)  =  c^Q N(i-l,S)  +  60QN(i+i,O^S^i)  +  61QN(i+l,  1~S~  1) 

and 

QN(i,S^O)  =  cr0QN(i-l,S)  +  6QQN(i+l,  Q^S^O)  +  ^QNfl+1,  1~S~0) 

and 

QN(N,S~1)  =  cr  1QN(N- i,  S)  and  QN(N,  S^O)  =  <r0QN(N-l,  S) 

Then  Q*  =  QN(£)  [  a  J <r  Qq/^q  ]  is  as  for  QN(S)  but  has  the  output 
renamed  by  a.  Similarly,  Q"  =  QM(E)  [  a  J  6  ,  6  ]  is  as  for 

QM(E)  but  has  the  inputs  renamed  by  a.  We  can  now  join  up  Q'  and 
Q"  using  our  concurrency  operation  to  get  SYS  =  Q'  •  Q"  which  should 
behave  as  the  single  queue  Q(M+N)(S)  except  that  it  contains  an  a 
connector  which  allows  other  programs  to  synchronise  through  it. 

We  wish,  after  Q1  and  Q"  have  been  composed,  to  hide  the  a  guards 
and  so  "internalise"  them.  The  a  is  then  internal  to  Q'  and  Q"  and 
cannot  be  provided  with  stimulus  from  without,  i.e.,  the  environment. 

As  another  example  of  hiding  take  a  binary  semaphore.  We 
may  define  this  by 

SEM  =  Yj  SEM 

i <i  <  n 

where  SeM  has  sort  O  {p.,v.}.  Suppose  we  have  two  agents  A 

i<i< n  1  1 

and  B  who  access  a  resource  using  a  and  (3  labels  respec¬ 

tively  and  we  wish  A  to  mutually  exclusively  send  an  a  stimulus 
followed  by  another  a  stimulus  to  the  resource.  Similarly  B  should 
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generate  a  pair  of  (3  stimuli.  Agent  A  would  be  defined  as  A  =  orA 
(and  B  similarly)  but  we  add  p  and  cr  guards  to  their  behaviour  to 
allow  the  semaphore  to  control  them.  We  can  therefore  redefine 
the  agents  to  be 

A  =  p^a  a  v^A 
B  =  p2(3  (3  B 

The  p^.v^  and  p^,  v^  labels  guard  the  critical  sections  aa  and  [3(3 
respectively  and  these  sections  must  send  stimuli  to  the  resource 
mutually  exclusively. 

The  constructed  system  is  then: 

CONSYS  =  A  •  B  •  SEM 


where 


SEM  =  p^VjSEM  +  p2v2  SEM 


This  can  be  pictured  as  follows  when  the  programs  are  treated  as 
machines 


Pi  P2 


Now  we  wish  the  semaphore  to  control  only  how  A  and  B 
access  the  resource  (which  is  in  the  environment! )  so  we  would 
wish  to  hide  the  and  v2  ports  (actually  they  are  connectors) 

and  prevent  further  programs  attaching  onto  them.  We  would  like 
the  above  picture  to  have  the  p^,  p2»  v^  and  v^  labels  removed. 

The  operation  -a  when  applied  to  a  program  hides  the  a 
guards  but  we  wish  that  it  leaves  the  rest  of  the  behaviour  of  the 
program  unchanged. 

We  introduce  the  following  axioms  to  define  hiding: 

b+j]  <Z  =  (  Z  +  Z  (Pi_Qf))  ©  Z  (Pi"**) 

ai~a  oe^=a 

[-  ©I  (  S  P^-a  =  §  (Pj-a) 

As  an  example  of  the  first  axiom  consider  the  following: 

(pP1  +  orp2)-a  =  (pfp^ar)  +  (p2-or))  ©  (p2-ar) 

Here  we  assume  a  is  internal  to  Pp^  +  ap2.  If  not  then  it  is  treated 
differently  and  how  we  do  this  is  given  later.  As  it  is  internal,  the  a 
guard  represents  the  result  of  a  synchronisation.  Thus  when 
hidden  we  do  not  know  whether  it  may  take  place  or  not. 

If  a  p  stimulus  comes  from  the  environment  then  two  things 
may  happen;  the  p  may  be  accepted  or  the  internal  a  synchronisation 
may  take  place  and  prevent  the  p  guard  from  receiving  a  stimulus. 

The  ©  operator  introduces  this  nondeterministic  behaviour. 
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But  suppose  the  environment  does  not  produce  a  (3  stimulus 
then  something  may  always  happen;  the  internalised  a  synchronisation. 
That  is  why  we  use  the  +  operator  to  compose  the  result  of  hiding 
the  synchronisation  with  the  guards  that  remain  unchanged.  The 
hiding  operation  is  applied  recursively  to  the  programs  that  follow 
the  guarding  labels,  both  the  hidden  and  unchanged  ones. 

How  d'oes  this  hiding  work  when  applied  to  our  semaphore 
example;  that  is,  what  program  results?  Let  us  use  the  [•  +]  axiom 
a  number  of  times  to  expand  CONSYS.  Of  course  we  could  keep  on 
applying  CONSYS  indefinately  since  none  of  the  constituent  programs 
of  CONSYS  terminate  (with  A)  and  when  composed,  A  never  results. 

CONSYS  =  Pj((ararv^A)  «  (p^ppv^B)  •  (v^SEM)) 

+  P2((P1arQ!V1A)  •  (ppv2B)  •  (v^SEM)) 

by  [•  +] 

=  p1aar((v1A)  •  (p2PPv2B)  •  (v^EM)) 

+  P2PP((Pi<2£*v1a)  •  (v2b)  •  (v^SEM)) 

by  [  •  +  ]  4  times 

=  Pji  actv^(Am  B  •  S  EM)  +  p2ppv2(A«B«  SEM) 

by  [•  +]  twice 

=  p1aav1  CONSYS  +  P2Ppv2  CONSYS 

The  presence  of  the  p's  and  v's  prevents  the  a  and  p  pairs 
interleaving  which  is  what  we  require  but  we  wish  the  p's  and  v's 
to  be  internalised.  We  shall  first  of  all  hide  out  p^  and  see  what  we 
get: 
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CONSYS  -  =  (((aorv1CONSYS)-p1)  +  P2((PPv2CONSYS)-p1)') 

©  (cmv^CONSYS)  -  p^  by  [+- ] 

=  aav^CONSYS-p^  +  p  ppv^CONSYS^ ) 

©  aav^(CONSYS-p^)  by  [©- ]  and  [+- ] 

CONSYS-p^-p2  =  ^  aav1(CONSYS-p^-p2) +P(3v2(CONSYS-p1»p2)^ 

©  P(3v2(CONSYS-p1-p2)  ©aav1(CONSYS-p1-p2) 

CONSYS-p^-p2*v^-v2  =  ^aa(C  ONSYS-  p  ^  *P2  ‘  7  ^  “v2 ) 

+  PP(CONSYS-p1-p2-v1-v2)) 

©  P(3(CONSYS-p1-p2-v1~v2) 

©  (zo:(CONSYS-p1-p2-vi-v2) 

=  oror(CONSYS-p1-p2-v1-v2) 

©  j3p(CONSYS-p^-p2-vi-v2)  by  [©©  +  ] 

Here  we  can  see  that  the  a  and  p  pairs  are  uninterleaved  as  required. 
The  nondeterminism  operator  is  introduced  since  the  environment 
after  hiding  has  no  control  over  how  the  semaphore  controls  the 
agents.  The  semaphore  forces  P's  to  the  exclusion  of  a's  and  ar's  to 
the  exclusion  of  P's  and  as  the  semaphore  is  now  abstracted  away 
so  we  have  ©  introduced. 

Hiding  usually  introduces  ©  when  applied  to  CNF  programs  and 
as  explained  above,  this  is  to  be  expected.  But  suppose?  in  our 


58 


semaphore  example  we  want  to  control  the  action  of  the  agents  A  and 
B  so  that  a  and  (3  pairs  are  not  interleaved  and  we  also  wish  that 
the  shared  resource  (which  may  be  composed  on  to  the  controlled 
system  later)  should  have  the  ability  to  choose  an  a  pair  or  a  p  pair. 
We  do  not  have  this  when  hiding  p's  and  v's  in  CONSYS,  as  above, 
since  the  hiding  introduces  ©  and  we  now  would  require  the  two 
subprograms  to  be  separated  by  +. 

We  can  design  a  semaphore  to  synchronise  directly  on  the 
agents  a  and  p  guards  to  produce  a  new  constructed  system  NSYS 
which  does  not  require  the  removal  of  additional  guards.  We  require 
that  NSYS  =  arorNSYS  +  ppNSYS. 

If  our  semaphore  is  defined  as 

SE  M  =  araSE  M  +  ppSEM 

and  our  agents  are  not  altered  by  the  addition  of  p  and  v  guards, 
that  is,  they  are  defined  by 

A  =  oA  and  B  =  aB 

then  our  constructed  system  is 

SEM#A«B  =  to(SEM  •  A  •  B)  +  pp(S  EM  •  A  •  B) 

and  so  SEM  •  A#  B  =  NSYS  as  required.  Note  that  SE  M,  NSYS,  and 
SEM  •  A*  B  are  all  identical  programs,  that  is,  they  have  the  same 
meaning  or  behaviour. 
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6 .  2  The  Hiding  Semantics 


Using  our  acceptor  semantics  we  now  formalise  the  meaning  of 
oar  hiding  operation.  Let  us  assume  that  we  are  hiding  internal 
labels.  The  external  label  hiding  will  be  dealt  with  later. 

We  introduce  the  following  notation: 

(p,  a)  =  {*}  for  Yq  •  (p,  a)  — '  q  =>  q  =  * 

[(P.  P)  =  {*}  ]  A  [(P»a)  =  {*}  ]  A  [a  €  FdINT  ^  A  in  CNF  3 

15.  - *-= - 

(p-a,  (3)  =  {*} 

(P.  P)  — P' 

1 6.  _______________ 

(p-a,  P)  —  p'-a 

Y  [(p.a)  -*Pi1  A  [(Pj.g)  -* Pz]  A  ’  ‘  ’  A[(Pn»  P)  —  P’]  A[QgLpiNT^  [PAPninCNF  I 

(p-a,  (3)  —  p1  -a 


17.2 


Y  [(p.a)^^  A[(pra)— p2]A”*A[(pn,(3)={#}]  A[(pn,a)={*}]A[aeL  NT]A[pAPninCNF 

_ _ _ _ 

(P-a,  (3)  =  {*} 


17.3 


V  [(pa)~-p1]A[(p1,a)—  p2]a***a[(p  -flip) 
n>l  _ 


— *]A[aeLpINT]A[pApn  in  CNF  ] 


(p-a,  (3)  —  * 


[(P»  P)  =  *  ]  a  [aeLp  EXT^a  ] 

(p-a,  (3)  =  {*  } 
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(p-a.  p)  —  * 


19 


((p©q)-a,p)~~* 


20. 


(q-o;,  (3)  — * 

((p  ©q)-a,  p)  —  * 


Condition  15  states  that  if  program  p  always  produces  *  on  an  a 
stimulus  and  it  always  produces  *  on  a  (3  stimulus  then  program  p-a 
always  produces  *  on  a  (3  stimulus.  As  p  is  in  CNF,  (p,  (3)-* «S=o(p,p)  =  {*} . 
For  p  ©  q,  i.  e.  ,  a  program  in  DNF,  then  condition  19  says  that  if  p-a 
gives  *  on  a  (3  than  so  also  does  (p  ©  q)-a.  We  treat  CNF  and  DNF 
programs  differently  here  since  for  DNF  r,  (r,(3)  —  *  <^>  (r,(3)  =  {*]•  , 
unlike  a  CNF  program. 

Condition  16  states  that  even  if  program  p  can  accept  an  a  then 
provided  p  accepts  a  (3  and  produces  p'  then  p-a  also  accepts  a  (3  and 
it  produces  the  program  p-a.  This  holds  for  a  being  both  internal 
and  external. 

If  p  produces  *  on  a  (3  then  we  do  not  have  p-a  producing  *  on 

a  (3  since  the  program  q  say,  which  we  get  when  p  accepts  the  a,  may 

accept  a  (3  or  produce  a  program  whose  offspring  may  accept  a  p. 

It  is  only  when  a  p  is  not  accepted  by  p  or  any  of  its  offspring  which 

result  from  some  number  of  a  stimuli  (possibly  one)  being  forced  at 

it,  do  we  get  p-a  giving  an  *  on  receipt  of  a  p.  17.2  does  this  for 

CNF  p  and  17.3  does  this  for  DNF  p  .  The  need  for  both  17.2  and 
n  ^n 

17.3  is  the  same  as  for  15  and  19  (and  20). 


Condition  17.  1  states  that  if  after  some  number  n  of  a  stimuli 
(possibly  one)  program  p  evolves  into  program  p^  which  produces  p1 
on  a  p  stimulus,  then  p-a  produces  p'-a  on  a  p  stimulus. 

As  we  are  hiding  internal  labels,  then  a's  appear  in  q  due  to 
a  synchronisation  on  a's  taking  place.  When  we  hide  them  we  wish 
to  preserve  the  behaviours  which  result  from  such  a  synchronisations. 
Hence  the  behaviour  which  occurs  after  a  synchronisation  in  p,  i.e., 
the  p  stimulus  on  condition  17.1,  should  also  occur  in  p-a. 

The  difference  between  internal  and  external  guards  is  given 
in  the  next  chapter  but  we  can  note  here  that  condition  18  states  that 
for  external  a  and  p  in  CNF,  if  p  gives  *  then  so  also  does  p-a.  It 
is  similar  to  15  except  we  ignore  whether  a's  can  be  accepted  or  not, 
as  a  is  external. 


Conditions  19  and  20  indicate  how  we  get  *  after  hiding  on  DNF 
programs,  16  applies  to  both  CNF  and  DNF  p  and  so  indicates  how  a 
program  results  when  a  hidden  DNF  program  receives  a  stimulus. 


To  see  how  the  semantics 
examples : 

(1)  ((yp  +  pq)-a,  y)  —  p-ar 
((yp  +  pq)-a,  p)  — -  q-a 

(2)  ((ayp  +  pq)-a,  y)  —  p-a 
((ayp  +  Pq)-a,  p)  —  q-a 
((ayp  +  pq)-a,  P)  — ■  * 


works  for  hiding  let  us  try  some 

by  16  as  (yp  +  pq,  y)  ~^p 
similarly 

by  17.1  as  (ayp+pq)— ~YP  ,  (yp,  y)—p 

by  16  as  (ayp  +pq,  p)  -~q 

by  17.2  as  yp  is  in  CNF  and 
(ayp  +pq,a)  -*yp  and  (yp,  p)  — ■*. 
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and  if  6  is  in  the  sort  of  our  program  then: 

((n(y p  ©  6r)  +  j3q)-a;,  6)  —  *  by  17.3  as 

((nyp  +  (3 q) ,  a)  —  (yp  ©  6r) 
and  (yp,  6)  —  *  giving 
((yp  ©  5r)-n,  b)  *  by  19. 


6 .  3  Internal  and  External  Guards 

We  wish  to  be  able  to  distinguish  between  guards,  i.e.,  labels, 
which  are  produced  by  the  concurrency  operator  •  when  two  or  more 
programs  synchronise,  and  those  which  do  not.  The  former  are 
internal  guards  and  the  latter  are  external  guards. 

To  do  this  we  change  the  notion  of  sort  from  being  a  set  of 
labels  to  a  pair  of  sets  of  labels.  The  first  set  are  external  labels 
and  the  second  set  are  the  internal  labels.  These  two  sets  are 
disjoint  and  when  unioned  together  produce  our  previous  notion  of  sort. 

Initially  most  of  the  sort  labels  will  be  external  unless  we  wish 
to  designate  some  as  internal.  Our  operators  are  also  sorted  and  will 
now  be  as  follows: 
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«  :  <L1,L2>-<L1,L2> 

•  :  (L^,L2)  X  (Mp  M2)  “♦(  U  M^-P,  L_,  u  M2  U  P) 

where  P  =  (L^  U  L^)  p|  (M^  !J  M2) 

-or  :<L1,L2)  -(^{a},  L 2-{a}) 

+  :<L1,L2)  X(Ll,L2 )  — (L1,L2) 

©  :  <Lj,L2)  X(L1,L2>  —  <Li'L2) 

[P/or]  :  -  ((Ll  y  {(3})-{a},  (L2  U  {p})-{a}> 

It  is  the  concurrent  composition  which  produces  new  internal 

guards. 

We  have  seen  that  hiding  internal  guards  preserves  the  program 
which  follows  the  guard  (with  hiding  occurring  in  it  as  well).  The 
reason  for  this  is  that  an  internal  guard  results  from  a  synchronisation 
and  we  wish  to  preserve  that  behaviour  which  follows  from  this  synchronisa 
tion.  A  synchronisation  is  an  interaction  among  programs  and  once 
hidden  we  do  not  know  whether  it  will  occur  or  not  and  so  need  to 
allow  for  all  possibilities;  one  is  that  it  does  occur  and  so  the 
acceptance  behaviour  which  occurs  after  the  synchronisation  should 
also  occur  in  the  hidden  program. 

But  suppose  we  hide  an  external  guard,  one  which  does  not 
appear  due  to  a  synchronisation  having  been  effected.  Then  it  does 
not  make  sense  to  allow  the  hidden  program  to  accept  in  the  same  way 
as  for  internal  guards.  Since  labels  are  used  as  "synchronisation 
points"  an  external  guard  has  labels  which  have  not  been  used  in 
synchronisation. 
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Thiis  an  interaction  has  not  occurred  on  an  external  guard  and  when 

-  v 

hidden  the  following  program  that  which  is  guarded  by  the  "to  be 
hidden"  label  is  also  lost. 

The  hiding  here  prevents  entrance  to  the  program  which  is 
protected  by  the  guard.  We  therefore  define  hiding  for  external  label 
a  by 

(  E  “jPi> " a  ~  E  ai 

a  =£  a ^ 

and 

(  §  P*)"*  =  §  ((P^-a) 

and  we  see  that,  compared  to  the  definition  for  internal  labels,  we  do 
not  include  the  (hidden  versions  of  the)  subprograms  which  are  guarded 
by  the  a  label. 

Our  semantics  for  external  hiding  is  given  by  conditions  16  and 
18  above,  for  successful  and  unsuccessful  receipt  of  a  stimulus 
respectively. 

Examples 

(i)  (orp  -  a,  (3)  -*•  *  since  (ap,(3)  —  * 

(ii)  ((orp  +  pq)  -  a,p)  —  q-a  since  (ap  +  (3q,  |3)  —  q 
((ap  +  pq)  -  a,  y)  —  *  since  (ap  +  pq,  y)  —  * 

(iii)  ((p  a  p  +  y  q)  -  a,  P)  -*  ap)  -  a  since  (p  ap  +  yq,  p)  -*■  ap 
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(iv) 


((ap©  (3q)  -  a,  |3)  —  *  as  ((ap)  -  a,  P)  — 1 by  (i)  above. 


((orp©Pq)  -  a,  (3)  —  q-a  as  ((pq)  -  a,  P)  —  q-or 

The  definitions  given  for  hiding  are  axioms  of  our  language.  We  have 
the  following  set: 

[-  +  J  (  Z  s  (  Z  ^(Pi-a)  +2  (Pj-a))  ©  Z  (Pi“a) 

or^or  a^=a  a^=a 

where  or  e 

[-+2]  (Z«iPi>-  =  Z  ai(Pi-«)  where  a  e  L^XT 

a.^a 

l 

[--]p-a-p  =  p-p-or 

[-©]  (p  ©  q)-a  =  (p-a)  ©  (q-a) 

[-•]  (p  •q)-a  =  (p-a;)  •  (q-ar)  if  a^Lp*qiNT 

The  first  two  axioms  define  internal  and  external  hiding  on  CNF 
programs;  [-  -]  states  that  it  is  immaterial  the  order  in  which  we 
hide  while  [-  ©]  says  that  hiding  a  program  in  DNF  is  the  same  as 
if  we  form  the  program  from  the  hidden  subprograms  using  ©.  The 
[-#  ]  axiom  states  that  concurrently  composing  then  hiding  is  the  same 
as  hiding  the  components  and  then  concurrently  composing,  provided 
that  what  is  hidden  is  an  external  label  of  p»  q. 

These  axioms  together  with  the  preceding  ones  are  later  shown 
to  satisfy  our  equivalence  relation. 
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It  should  be  noted  that  some  of  the  complexity  in  defining  our 
acceptance  semantics  over  hiding  is  in  the  need  to  treat  CNF  and  DNF 
programs  differently,  particularly  when  *  is  a  result.  The  problem 
stems  from  the  semantics  not  differentiating  between  how  p  ©  q  and 
p  +q  react  to  a  stimulus  which  either  p  or  q  react  acceptably  to,,  i.  e., 
do  not  give  #.  Also,  the  semantics  have  to  distinguish  between  how 
such  DNF  and  CNF  programs  produce  *.  It  is  possible  that  a 
semantics  using  modal  operators  to  express  " sometimes "  and  "always" 
may  produce  a  simpler,  cleaner  semantics. 

6.4  Hiding  in  our  Dining  Philosopher's  Example 

In  our  "solution"  to  the  dining  philosopher's  problem  we 
introduced  a  reservation  guard  to  each  philosopher  and  his  neighbouring 
forks  to  prevent  deadlock.  If  we  abstract  out  these  reservation 
guards  from  the  composite  system  SYS,  what  program  are  we  left 
with? 

For  three  philosophers  and  three  forks  we  use  axiom  [+•  ]  to 
get  that 

SYS  =  r1(gi1  gr1  St  +  g^  gi  {  S ^ 

+  r2(gi2  gr2  S,  +  gr2  gi2  S2) 

+  r3(gi3  gr 3  S3  +  gr3  gi3  S3) 

where  S.,  =  pi^,  pr^  SYS  +  pr^  pf  ^  SYS  for  i  =  l,  2,  3. 
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Using  axiom.  [-+^]  a  number  of  times  to  hide  internal  guard 
r^  gives  us: 

SYS  -  r1  =  ((g i  t  gr1(S1-r1)  +  grA  g l  y  (SJL-r1) 

+  r2(^2  gr2  (S2‘rl)  +  gr2  gi2  (S2"rl}) 

+  r3(gi3  gr  3  (S^r^  +  gr3  gi  3  (S^r  ^ 

®(r2(gf2  gr2  (S2-rL)  +  gr2  gi.,  (S^r^) 

+  r3(gi3  gr 3  (S3“ri>  +  Sr 3  g-*3  <S3"ri^) 

where 

(S.-r^  =  pi.  pri  (SYS-r^  +  pr.  ii.fSYS-r^ 

Using  axiom  [-+^  to  hide  the  r^  and  then  the  r3  guards  gives  us: 

SYS  “  ri  -  r2  "  r3  =  (Rj  +  R2  +  R3) 

©  (R 1  +  R2)  ©  (R1+R3)  ©  (R2  +  R3) 

©  (R 1  ©  R2  ©  R3 


where 


R.  =  gi.  gr.  R.  +  gr.  gi.  R. 
1  eieii  &  i  6  i  i 


and 


R.  =  pi.pr.  (SYS-r  1-r2-r3)  +  pripi.(SYS-r1-r2-r3). 
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Using  axiom  [©  ©  +]  three  times  we  get: 

,  ■■■■■■.'  '  .  '  '  ' 

SYS  -  =  (R^  +  R^  +  R^)  ©  R^  ©  R^  ©  R-j  • 

We  now  need  to  use  another  axiom  here;  the  extension  of  axiom 
[©  © +]  to  three  components  rather  than  two. 

Axiom  [©  ©  +  ]  states  that 

x©y©(x  +  y)  =  x©y. 

Let  us  replace  this  axiom  by  the  following  axiom,  or  rather,  family  of 
axioms . 


(§  x.  ©  £]  Xj.  =  §  ,  for  all  programs  x^  and  for  all  i 

We  now  use  the  instance  of  this  class  of  axioms  for  i  =  3.  This  gives 

SYS  ri  "  r2  ”  r3  =  ©  R3  . 

This  constructed  system  can  be  seen  to  be  free  from  deadlock 
by  inspection.  We  see  that  the  hiding  operation  introduces  ©  to  a 
program  SYS  which  previously  did  not  contain  such  nondeterminism 
constructs.  Whether  our  hidden  system  gives  program  R^  or  R^  or  R^ 
now  depends  on  some  internalised  choice  mechanism,  the  r^  guards, 
which  we  have  abstracted  away  from. 
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The  informal  justification  for  axiom  [  §  ^  ]  just  extends  that 
for  [©©+].  In  our  appendix  we  prove  that  axiom  [©©  +  ]  is  sound 
with  respect  to  our  semantic  interpretation  of  the  language.  We 
believe  that  a  generalised  form  of  this  proof  would  also  show  the 
soundness  of  [§  Yj  ]• 
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CONCLUDING  REMARKS 

111  ■—  1  1 

The  formal  system  presented  here  allows  us  to  represent 
communication,  and  concurrency  features  as  found  in  systems  of 
interacting  computing  agents.  This  corresponds  to  how  the  functional 
concepts  in  serial  programs  are  represented  using  the  calculus. 
Properties  such  as  termination  and  deadlock  can  be  expressed  in  the 
formalism.  -Proofs  of  equivalence  type  properties  can  be  performed 
while  the  framework  can  also  be  used  to  reason  about  deadlock 
features,  for  instance.  Other  proof  tools  need  to  be  developed;  one 
approach  is  to  enable  ourselves  to  perform  induction  on  the  number 
of  components  in  a  system,  the  dining  philosophers  problem  for 
example.  Work  along  this  line  has  been  fairly  successful  and  will  be 
reported  in  a  future  paper. 

One  problem  met  in  concurrent  programming  is  how  to  deal 
with  the  interleaving  of  synchronisation  and  computation  features.  One 
approach,  as  adopted  by  Campbell  and  Habermann, uses  Path  Expressions 
[1]  to  remove  the  synchronisation  and  control  constructs  from  the 
rest  of  the  program.  The  computation  and  control  features  are  then 
separated.  To  a  lesser  extent  monitors  [3]  also  perform  this  function. 

The  approach  we  adopt  is  to  have  synchronisation  as  the 
primitive  language  feature  with  the  more  usual  computation  being 
added  to  this  core.  The  simplest  example  of  this  approach,  as  presented 
in  this  paper,  excludes  values  and  so  computation.  It  is  not  difficult 
though  to  add  in  value-passing  and  computation  features.  These  are 
present  in  a  related  formal  system;  the  CCS  of  Milner  [8],  Both 
CCS  and  our  formal  system  are  developed  from  a  process  model  of 


concurrency  [7]  where  value-passing  is  present.  Related  work 
includes  that  of  Hoare  [4  ]  together  with  the  work  of  Hoare  and 
others  on  models  of  CSP  [5], 

We  have  adapted  the  concept  of  experimentation  as  used  by 
Milner  and  Hennessay  [2]  in  the  construction  of  our  notion  of 
acceptance  semantics.  This  opperational  approach  is  due  originally 
to  Landin  [6],  who  used  an  abstract  machine  to  represent  the 
semantics  of  a  language.  A  less  concrete  operational  semantics 
involving  relations  rather  than  abstract  machines  was  introduced  by 
Plotkin  in  [9].  This  is  closer  to  our  notion  of  acceptance  semantics. 

One  possible  deficiency  of  this  work  is  in  the  use  of  interleaving 
to  deal  with  concurrent  action.  Future  work  will  attempt  to  produce  a 
model  which  does  not  rely  on  such  arbitrary  interleaving.  Further 
proof  methodologies  remain  to  be  developed  and  this  should  allow  us 
to  test  our  formal  system  on  some  large  and  realistic  examples. 

This  empirical  approach  should,  it  is  hoped,  justify  our  design  of 
model  and  if  not,  to  illustrate  how  it  could  be  altered  to  better 
represent  reality. 
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APPENDIX  I:  The  Equivalence  Relation  is  a  Congruence 


We  define  ~  to  be  the  intersection  fl  ~  over  n  where 

n  n. 


p 

Vq 

if  p,  q  e 

W 

and  of  sort  L 

p 

n+i^ 

iff 

V  a  eL. 

(a) 

(p.or)  —  * 

=> 

(q»  a)  —  * 

(b) 

(q,  a)  —  * 

=t> 

(p,  a)  —  * 

(c) 

(p,  a)  —  p' 

=£> 

3  *  (q»a)  —  q'.  p' 

(d) 

(q,  or)  —  q' 

=0 

3  p'  •  (p,  or)  *—  p',  P'  ~ 

Note  that  p'  and  q'  are  program  variables  and  so  cannot  be  Thus 

we  wish  to  show  that  for  any  words  m  and  n  in  then 

m  ~  n  =c>  V  contexts  C  [  ]  •  C  [m]  ~  C  [n]. 

Contexts  are  formed  using  the  guarding,  choice  nondeterminism, 

hiding  and  concurrency  operations.  To  show  congruence  it  is  therefore 

sufficient  to  show  that  for  m,  n  and  q  of  sort  L 
m  ~  n  implies: 

(1)  Vq  •  m  -)-  q  ~  n  +  q 

(2)  Vq  •  m  ©q  ~  n  ©  q 

(3)  VyeL-'ym~\n 
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(4)  V V  *m  -  ■y  ~  n  -  y 


(5)  YP  '  m •  p  ~  n  •  p 

Proof.  Assume  m  ~  n.  Then  for  some  a€  L,  the  sort  of  m  and  n  we 
have 

1)  Show  for  m+q.  Assume  m,  a  and  q  in  CNF.  If  not  we  use 
[+ ©]  to  get  for  some  CNF  component  of  m  that  (m  +  q,  a)  — *  if 
(m^+q,  a)  —  *.  Then  show  that  (m^  +  q,  a)  *  implies  (n^  +  q,  a)  * 
for  some  CNF  n^,  a  component  of  n.  This  is  just  the  CNF  case  below. 

l.a)  Case  (m  +  q,  or)  —  *  then  by  15  we  have  that  (m,  or)  -*■  *  and 
(q »a)  “*  *.  As  m  ~  n  then  (n,  a)  -»  *  hence  (n  +  q,  a)  — •  *  by  15,  as 
required. 

l.b)  Case  (n+q,a)— •*,  as  (l.a). 

1.  c)  Case  (m  +  q,  or)  —  p  where  p  f  *. 

Then  by  3  and  4  either  (m,  a)  -*p  or  (q,  a)  -*  p. 

1.  c.  1)  (m,  a)  -*  p  and  as  m  ~  n  then  ^  p'  such  that 

(n,  a)  -*■  p'  and  p  ~  p'  and  so  (n  +  q,  a)  -*  p'  by  3,  as 
required. 

1.  c.  2)  (q,  a)  — '  p  and  by  4  (n  +  q,  a)  — *  p. 

As  p  ~  p  then  we  have  what  is  required. 

l.d)  Case  (n  +  q,  a)  -*■  p  where  p  f  *,  as  1.  c) 

We  now  have  that  if  m  ~  n  then  Vi  ■  (m+q)  ~  (n+q). 
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2)  Show  fqr  m  ©  q.  Assume  m,  n  and  q  in  CNF. 

2.  a)  Case  (m  ©  q,  a)  “*■  *  then  by  6.2  and  7.2  either  (m,  a)  *  or 

(q,  a)  — *,  respectively. 

2. a.  1)  (m,  or)  *  and  as  m  ~  n  then  (n,  a)  *. 

By  6.2  (n  +  q)  *,  as  required. 

2. a.  2)  (q,  a)  -*•  *  implies  (n  +  q)  —  *  bu  7.2. 

2.b)  Case  (n  ©  q,  a)  -*■  *  ,  as  2. a) 

2.c)  Case  (m  ©  q,  a)  — ■  p  where  p  ^  *.  By  6.  1  and  7.  i  either 
(m,  a)  -p  or  (q ,  a)  —  p,  respectively. 

2.  c.  1)  (m,  a)  —  p.  As  m  ~  n  then  (n,  a)  p1  and  p  ~  p' . 

By  (n©q,  a)— p',  as  required. 

2.c.2)  (q,  a)  —  p  and  by  7.1  (n  ©  q)  —  p',  as  required. 

2. d)  Case  (n  ©  q,  a)  —  p,  as  2.c). 

So  have  that  m  ~  n  implies  {m  +  q)  ~  (n  +  q)  for  all  q. 

3)  Show  for  ym. 

3.  a)  Case  (ym,  a)  *  implies  a  /  y  by  2.  We  thus  have  (yn;a)  -*■  #. 

3.b)  Case  (yn ,  a)  -*■  *,  as  above. 

3.c)  Case  (ym,  a)  -*  m,  from  1  with  a  =  y.  Then  (yn,  a)  -*n  and  as 
m  ~  n  we  have  required  result. 
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3.d)  Case  (yn,  a)  -*  n,  as  3.c).  Thus  m  —  n  implies  ym  ~  yn. 

4)  Show  for  m-y.  Assume  m  and  n  are  in  CNF,  otherwise 

axiom  [-  ©  ]  can  be  used  to  get  CNF  terms. 


4. a)  (1x1-7,  a)  -*■  *  then  either 


4. a.  1)  (m,  a)  -*  *  and  (m,  y)  =  {*}  and  y  is  internal  then  as 

m~n,  so  (n,or)  —  *  and  (n,  y)  =  {*'}  and  again  y  is 
internal  (as  m  and  n  have  the  same  sorts).  Thus 
(n,  a)  -*  *. 

4. a.  2)  3ns.  t.  •  [(m,  y)  —  m1  ]  a  [(m,  y)  —  ]  A  -  *  * 

•  •  •  a  [(mn»  y)  —  *3  a  [(mQ>  «)“•*] 

and  a  is  internal  to  m  (and  so  also  n).  As  m  ~  n  then 
(n,  y)  n^  and  m^  ~  n^,  in  which  case  (n^,  y)  •  •  • 

and  (nQ,  7)  — •  *  and  (nQ,  a)  -*■  *.  Hence  (n-y,  a)  -*  *, 
as  required. 

4. a.  3)  (m,  or)  —  *  and  a  is  external  to  m  (and  so  also  to  n). 

As  m  ~  n  then  (n,  a)  -*  *  and  so  (n-7,  or)  — 1 ►  #,  as  required 

4.b)  as  for  4. a)  by  symmetry 

4.c)  (m-7,  a)  “*  p-y  then  either 


4.C.1)  (m,  a)-~p.  As  m  ~  n  then  3"i  such  that  m  ~  ^  ^n  and 

(n,  a)  —  q  with  p  ~.q  and  (n-7,  a)  —  q-a.  Now  p  ~q  q 
(always  true)  and  let  us  assume  that  p-y  q-7.  This 
is  sufficient  as  (n-7,  a)  -*  q-a  and  p-7  q-7  to  give 

m-y  n-y  and  so  m-y  ~  n-y  if  other  clauses  hold. 
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This  follows  by  induction  on  the  index  of  our 

^  - 

equivalence  relation  and  is  used  in  some  of  the 
following  clauses. 

4.C.Z)  jjjns.t.  [(m,y)  -mj  A  [(m^v  — *  m^]  a  *** 

•••A  [(rn^  y)  —  mn3  a  [(mn»  «)  “*  p]  and  &  is  internal 
to  m  (and  so  to  n).  As  m  ~  n  then  3  ni  suc^  that 
(n,  y)  —  n^  and  ~  n^.  Hence  (n^.y)  -*  n^  *•*  and 
^nn-l’  nn  anc*  (nn»  V)  q  with  p  ~  q.  Using  an 
argument  as  in  4.C.1)  we  get  (n-y,  a)  —  q -<*  with 
m-y  —  n-y  if  other  clauses  hold. 

4. d)  as  for  4.c)  by  symmetry.  Thus  ¥y*m~n  implies  m-y  ~  n-y 

where  y  lies  in  the  sort  of  m  and  so  of  n). 

5)  Show  for  m«p.  Let  m  and  n  be  in  CNF.  Axiom  [•  ©  ]  can  be 
used  on  DNF  terms  to  get  CNF  components  on  which  to  reason 
as  follows: 

5.  a)  (m  •  p,  a)  —  *  then  by  12  and  13  either 

5. a.  1)  (m,  a)  -*■  *  and  so  (n,  a)  -*  *  by  m  ~  n  and  by  12, 

(n  •  p,  a)  — -  *. 

or  5.  a.  2)  (p,  a)  -*■  *  and  so  by  13  (n  •  p,  a)  -*•  *. 

5. b)  follows  5.  a)  by  symmetry. 

5.C.1)  (m  •  p,  or)  —  m  '  •  p  and  (m,  a)  —  m'  and  a  is  not  in  the  sort  of  p. 
Now  as  m  ~  n  then  (n,  a)  -*  n'  and  m'  ~  n' .  Here  we  assume 
m’  •  P  ~q  n1  •  p  and  m1  •  p  n'«p.  As  (n,  a)  —  n’  and  a  not  in 
sort  of  p  then  (n  •  p,  a)  —  n'  •  p.  Thus  m  «  p  ,  n#  p  and  so 

1*7*  1 
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also  m  *  p  ~  n«  p  if  other  clauses  for  •  hold. 

5.  c.  2)  (m  •  p,  a)  — ■  m  •  p'  and  (p,  a)  -*■  p'  and  a  is  not  in  sort  of  m. 

As  m  ~  n  then  (n  •  p,  a)  —  n  •  p' .  Assume  map1  ~q  nm  p1  and 

m  •  p'  n  •  p'  and  so  m  •  p  n  •  p  and  also  m  •  p  ~  n  •  p 

if  other  clauses  for  •  hold. 

5.  c.  3)  (m  •  p,  a)  -*■  m1  •  p'  and  (m,  a)  — *■  m'  and  (p,  a)  p' .  As  m  ~  n 

then  (a,  a)  -**  n'  and  m1  ~n'.  Assume  m'  •  p'  n1  •  p'  and 

m1  •  p'  n1  •  p1  and  so  we  have  m1  •  p  ,  ,  n«  p  and  so  also 
r  l  r  r  i+l 

m#p~n#p  if  other  clauses  for  •  hold. 

5.d)  follows  5.c)  by  symmetry. 

We  therefore  have,  for  all  programs  p,  that  m~n  implies  m»p~n«p. 
By  i)  to  5)  we  have  that  our  equivalence  relation  ~  is  a  congruence 
and  we  can  now  replace  parts  (or  subprograms)  of  programs  in  our 
language  by  equivalent  parts  without  changing  the  meaning  of  the 
program  as  a  whole. 

What  programs  in  our  language  are  equivalent,  or  to  rephrase 
this  question,  how  do  we  construct  equivalent  programs? 

Our  axioms  define  an  equivalence  relation  and  we  would  like 
that  this  equivalence  is  the  same  as  ~.  We  now  show  that  our  axioms 
are  sound  with  respect  to  that  is,  if  a  =  b  is  an  equality  arrived 
at  by  using  the  axioms  then  a  ~b.  We  are  then  able  to  replace 
program  a  by  program  b  without  changing  meaning  (as  a  ~  b). 

Our  axioms  are  thus  consistent  with  our  notion  of  equivalence  (in  terms 
of  our  acceptance  relation).  We  would  also  like  that  .our  set  of  axioms 
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be  complete;  that  is,  if  a  ~  b  then,  we  have  a  =  b  using  the  axioms 
alone.  This  is  believed  to  be  the  case  but  a  proof  remains  to  be 
performed.  The  proof  of  consistency  of  the  axioms  now  follows. 
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9. 


APPENDIX  II:  Consistency  of  the  Axioms 


We  shall  show  that  if  p  =  q  using  our  axioms,  then  p  ~  q. 

It  is  sufficient  to  show  that  every  axiom  gives  us  an  equivalence 

Proof,  We  shall  assume  that  expression  variables  x  and  y  in  the 
following  are  in  CNF.  If  they  were  in  DNF  conditions  6,  7,  19  and  20 
are  used  to  access  their  CNF  components,  and  we  then  need  reason 
o  •  about  these. 

Axioms  [+j],  [+^],  [++1  atl<^  are  obvious.  As  an  example 

let  us  deal  with  [+A], 

[+A]  a)  (x  +  A,  a)  *  implies  (x,  a)  -*  *  and  (A,  a)  —  *  by  5.  The  latter 
is  always  true. 

b)  (x,  a)  -*•  *  implies  (x  +A,  a)  —  *  by  5  since  (A,  a)  —  *  always 
holds,  and  x  is  in  CNF. 

c)  (x  +  A,  a)  x'  implies  (x,  a)  -**  x'  by  3,  since  we  never  have 
(A,  a)  —  x'. 

d)  (x,  a)  x'  implies  (x  +  A,  a)  — *  x'  by  3. 

All  four  clauses  follow  from  relation  conditions  5  and  3  and  x  +  A  ~  x  as 
required. 

[©^]  a)  (x  ©  x,  a)  -*  *  implies  that  (x,  a)  -*  * 
b)  (x,  a)  — 1 ►  *  implies  that  (x  ©  x,  a)  -*  * 


80 


c )  (x  ©  x,  a)  -*  x'  implies  that  (x,  a)  -*■  x' 

d)  (x,  a)  “*  x'  implies  (x  ©  x,  a)  -*•  x' 

using  conditions  6  and  7.  Axioms  [©^  ]  and  [©  ©]  again 
follow  immediately  from  conditions  6  and  7  and  are  omitted. 

[+  ©]  a)  (x  +  (y  ©  z),  a)  -*  *  implies  that  (x,  or)  *  and  (y  ©  z,  a)  — •*  * 
and  this  latter  implies  that  either  (y ,  a)  -*  *  or  (z,  a)  -**  *. 

Hence  (x,  a)  —  *  a  (y,  a)  -*  *  or  (x,  a)  —  *  a  (z,  a)  — ’  in 
which  case  ((x+y)  ©  (x+z),  or)  -*■  *. 

b)  ((x+y)  ©  (x+z )» of )  —  *  implies  that  (x  +  (y  ©  z),a)  as  for  a)  above. 

c)  (x  +  (y  ©  z),a)  -*p  implies  that  (x,  a)  —  p  or  (y  ©  z,  a)  -*•  p,  the 

f 

latter  again  giving  that  either  (y,  a)  -p  or  (z,<z)  -*  p. 

c.  1)  if  (x,  or)  -»  p  then  (x  +  y ,  a)  — ■  p  and  so  ((x  +  y)  ©  (x+z),  a)  -*•  p. 

c.  2)  if  (y,  a)  -*■  p  then  (x  +  y,  a)  —  p  and  so  ((x+y)  ©  (x+z),  a)  —  p. 

c. 3)  if  (z,a)  -*■  p  then  (x+z,  a)  -*  p  and  so  ((x+y)  ©  (x+z),  a)  — •  p. 

d)  ((x+y)  ©  (x+z),  or)  -•  p  and  so  either  (x+y,  a)  -*•  p  or  (x+z,  a)  —  p. 

So  either  (x,  a)  -*■  p  or  (y,  a)  -*■  p  or  (z,  a)  —  p. 

d.  1)  (x,  a)  p  and  so  (x  +  (y  ©  z),  a)  p 

d.  2)  (y,  or)  —*■  p  and  so  (y  ©  z,  a)  -*•  p  then  (x  +  (y  ©  z),a)  -*  p. 

d.3)  as  d.  2). 

x  +  (y  ©  z)  ~  (x+y)  ©  (x+z)  follows.  In  the  above,  conditions  3,4,  5,  6  and  7 
are  used. 
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[©©  +]  a)  (x  ©  y  ©  (x+y),  a)  -*  *  implies  either 

a.  1)  (x,  a)  -*■  *  and  so  (x  ©  y,  a)  —  *  ,  by  6.  2 

a.  2)  (y,  a)  -*  *  and  so  (x  ©  y,  a)  -*•  *  ,  by  7.  2  and  6. 2 

a.  3)  (x+y,  a)  *  and  so  (x,  a)  -*■  *  and  (y,  a)  *  hence 

(x  ©  y,  a)  -*  by  7.  2  and  5. 

b)  (x  ©  y,  or)  *  implies  either,  by  6.2, 

b.  1)  (x,  a)  *  and  so  (x  ©  y  ©  (x+y),  a)  * 

b.  2)  as  for  6. 1) 

c)  (x  ©  y  ©  (x+y),  a)  —  p  implies  either 

c.  1)  (x,  or)  -*•  p  and  so  (x  ©  y,  or)  p  by  6.  1, 

c.2)  (y,  a)  -*  p  and  so  (x  ©  y,  a)  -*•  p  by  6.  1  and  7.  1 

c.  3)  (x+y),  a)  p  and  so  either  (x,  or)  -**  p  in  which  case 

(x  ©  y,  a)  p  or  (y,  or)  p  and  again  (x  ©  y,  a)  — ■  p. 
By  3,  4,  6.  1  and  7.1. 

d)  (x  ©  y,  a)  p  implies  either 

d.  1)  (x,  a)  -*  p  and  so  (x  ©  y  ©  (x+y),  a)  -®  p,  by  6.  1  or 

d.  2)  (y,  a)  —  p,  as  for  d.  1). 

x  ©  y  ©  (x+y)  ~  x  ©  y  then  follows. 
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[»]  a)  (x  •  y ,a)  —  *  implies  that 

a.  1)  by  12,  (x,  a)  *  and  by  13,  (y  •  x)  -•  * 

a.  2)  by  13,  (y,  a)  -*■  *  and  by  12,  (y  •  x)  —  *  . 

b)  as  for  a) 

c)  (x  •  y,  or)  -*■  p  implies  that 

c.  1)  a  4  J-y  and  (x,  a)  “*■  x'  and  p  =  x'  •  y.  Assume  x'  #  y  ~^y#  x* 
and  x'  •  y  ~Q  y  •  x<  then  condition  9  gives  (y  •  x,  a)  — •  y  •  x', 
with  y  •  x'  ~  x'  •  y  by  induction  on  ~  . 

c.  2)  a  4  L  and  (y»  a)  —  y'  and  p  =  x  •  y' ,  similarly. 

c.  3)  a  4  L,  D  L  and  (x,  a)  -*•  x'  and  (y,  a)  — *  y'  and  p  =  x'  •  y' . 

x  y 

Aa  for  c.  1)  using  11. 

d)  as  for  c) 

Then  x  •  y  ~  y  •  x  . 

[•  •  ]  similar  to  [•  ]  using  conditions  9.  10,  11,  12  and  13. 

[•  +]  for  x  =  J  (JLix.  and  y  =  Y  then 

a)  (x  •  y,a)  — ■  *  implies  that  either 

a.  1)  by  12  for  CNF  x,  (x,  or)  =  {*}  in  which  case  either 

a.  1.  1)  ^  Yj  F-^x.#  q. ) , ar^  =  {*}  by  5,  for  ae^and  a/L  or 

ix .  4  L  ' 

*1  ^  y 

a.  1.2)(  Y  ^(x..  y.),a)  =  {*  }  for  a  e  L  fi  L  by  5. 
u.=x.  J  * 

3 

a.  2)  by  13  for  CNF  y,  (y,  a )  =  {*}.  As  for  a.  1). 
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By  condition  5  this  makes  the  right  hand  side  of  axiom  [•  +]  give 
{*}  on  receipt  of  an  a  stimulus,  via  our  relation.  The  three  clauses 
making  up  the  right  hand  side  are  mutually  exclusive  in  their  reaction 
to  stimuli  since  we  have  a  and  a  eLx  n  Ly* 


b)  Let  us  call  the  right  hand  side  of  axiom  [•  +]  rhs.  Then 


(rhs, a)  *  if  all  three  clauses  only  give  *  on  receipt  of  an  a.  As 
explained  above  this  arises  when  either 


b.  1) 


b.2) 


b.  3) 


rir  y 

(  Z.  P;<x  • 

p.?L  J 
\T  x 

(  Z 

^i=pj 

*LeLx  n  Ly 


y )»  a)  =  {*}  and  a  4  L^ 

y.),  a)  =  {*}  and  a  ^L 
J  x 

Yj)»  a)  =  {*}  and  a  /Lx  flL^ 


By  conditions  12  and  13  and  above  (x  •  y,  a)  =  {*}  as  required. 


c)  (x«y,or)  -*  p  implies  that 


c.  1)  a  ^Ly  and  (x,  a)  —  x'  and  p  =  x'  •  y,  by  9.  Then 

(  A  (x.  (x.  •  y),  a)  —  x  •  y  where  |x.  =  a  and  x.  =  x' 

T7  t  11  •  • 

H-  €  L. 

y 

and  so  (rhs,  a)  -*  x'  •  y. 


or  c.  2)  a  4  Lx  and  (y ,  a)  -*y'  and  p  =  x  #  y ' ,  by  10.  As  for  c.  1). 


or  c.  3)  a  €  Lx  D  L^  and  (x,  a)  -**x'  and  (y,  a)  — *  y',  by  II.  As  for  c.  1) 


84 


d)  (rhs,a)  p  implies,  using  conditions  3  and  4,  that 

d.  1)  (  Yj  p^(x^#  y)*  a)  x1  •  y  where  p.^  =  a  and  x^  =  x1. 

ix. 

ri  y 

As  ax'  is  a  summand  of  x  then  by  9  (x  •  y»  or)  -*■  x1  •  y. 

d.2)  (  Y  p.(x#  y .),  a)  — •  x#  y' .  Similar  to  d.  1) 

p.^L  J  2 

d.3)  (  Y  p.  (x-  •  y-).  a)  —  x1  •  y1 .  Similar  to  d.  1). 

ll.  =  p .  1  1  ^ 


By  a),  b),  c)  and  d)  we  have  that 


x  •  y  ~  rhs  ,  as  required. 

[•  ©  ]  a)  (x«  (y  ©z),  a)  -*•  *  implies  that  either  (x,  a)  —  *  by  12,  or 
(y  ©  z,  a)  *  by  13. 

a.  1)  (x,  a)  *  in  which  case  (x#y,  a)  *  and  (x  #z,  a)  -*■*  by  12, 

hence  (x»  y  ©  x  •  z,  a)  *  by  6.  2  and  7.2. 

a.  2)  (y  ©  z,  a)  -*•  *  and  so  either  (y,  a)  —  *  or  (z,  a)  —  *  by  6.  2 
and  7.  2  respectively. 

a.  2.  1 )  (y,  a)  *  and  by  12  (x»  y,  a)  -*  *  so  by  6.  2 
(x*y  ©  x«z,  a)  —  *. 

a.  2.  2  follows  similarly. 


85 


b)  (x  •  y  ©  x  •  z,  a)  -*■  *  implies  either  (x  »y,  a)  — *  *  or  (x#  z,  a) 

b.  1)  (x#y,  a)  — ►  *  and  by  conditions  12  and  13  either 

(x,  a)  -*  *  or  (y,  a)  —  *. 

b.  1.  1)  (x,  a)  —  *  and  so  (x  •  (y  ©  z),  a)  *  by  12* 

b. 1.2)  (y,  or)  ■**  *  ,  so  by  6  (y  ©  z,  or)  By  13 

(x  •  (y  ©  z),  or)  — 

b.  2)  (x  •  z,  a)  *■»  *  follows  as  for  6.1). 

c)  (x  •  (y  ©  z),  a)  -*■  p  implies  either 

c.  1)  (x,  a)  — ’  x1  and  a  4 by  9  with  p  =  x'  •  (y  ©  z).  Thus 

(x  *  y,  a)  —  x'  «  y,  so  (x  •  y  ©  x  •  z,  ar)  -*  x'  •  y  by  6.1. 
and  as  L,  =  L  then 

y  z 

(x  •  z,  or)  -*■  x1  •  z,  so  (x  •  y  ©  x  •  z,  or)  x'  •  z  by  7.  1 . 

Then  (x  •  y  ©  x  •  z,  a)  —  x'  •  y  ©  x'  •  z  by  14,  and  x’  •  (y  ©  z)  ~ 

x'  *y  ©  x'  «z  by  an  inductive  argument  on  indexed  equivalences  as  used 
in  proofs  above  ([•]  for  instance).  Or 

c .  2)  (y  ©  z,  or)  -*  y 1  and  afL  by  10  with  p  =  x  •  y' . 

X 

Conditions  6.1  and  7.  1  imply  that  (y,  or)  —  y!  or  (z,a)-~z' 

c. 2.1)  (y,  a)  —  y'  and  (x»y,a)  -*x«y'  by  10  and  so 

(x  •  y  ©  x  •  z,  or)  x  «y'  by  6.1. 

c.2.2)  (z,or)  —  z'  follows  similarly.  Or 

c.  3)  (x,  or)  — ~  x'  and  (y  ©  z,  a)  — y'  by  11,  with  p  =  x'  •  y' .  Either 

(y,  ar)  -*y 1  or  (z,  a)  -*-y  ’  by  6.  1  and  7.  1. 
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c.  3. 1)  (y,  a)  — ■  y'  and  (x  •  y,  a)  x'  •  y1  by  11, 

(x#y  ©  x«z,a)  -*x'  #y'  by  6.1. 

c. 3.2)  (z,  a)  — ■  y',  follows  similarly. 

d)  (x  •  y  ©  x  •  z,  a)  —  p  implies  either  (x  •  y,  a)  -*  p  by  6.1  or 
(x  •  z,  a)  — *  p  by  7.1. 

d.  1*)  (x«y,  a)  -*■  p  in  which  case  either 

d.  1.  1)  (x,  or)  — *  x1  and  a  with  p  =  x'  »y. 

As  =  Ly,  (x  •  (y  ©  z),  or)  -*  x1  •  (y  ©  z). 

Now  x1  •  (y  ©  z)  ~  (x'  •  y  ©  x1  •  z)  by  an  inductive 
argument  on  indexed  equivalences.  By  14, 

(x  •  (y  ©  z),  a)  — •  x(  •  y . 

d.  1. 2)  (y,  a )  —  y1  and  or ,4  L  ,  with  p  =  x  •  y' .  By  6.  1, 

A 

(y  ©  z ,  a)  —  y'  and  as  a  4 (x  •  (y  ©  z) ,  a.)  x  •  y'  by  10 

d.  1.  3)  (x,  a)  —  x'  and  (y,  a)  —  y',  with  p  =  x'  •y1 . 

By  6.  1,  (y  ©  z,  a)  —  y1  hence 
(x  •  (y  ©  z)  ,  a)  —  x'  #y',  by  11. 

d.2)  (x  z,  a)  -*  p,  similar  to  d.  1).  By  above 
x#(y©z)~x«y©x«z 
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[a©+]  Show  that  ax  +  a  y  =  ax  Bay. 

a)  (ax  +  ay,  y)  — -  *  implies  by  2  and  5  that  a  =£  y.  By  2, 

(ax,  y)  -*■  *  and  (ay,  y)  —  *  and  (ax  ©  ay,  y)  *—  *  by  6.  2  and  7.  2. 

b)  (ax  ©  ay,  y)  —  *  implies  by  6.2  and  7.2  that  either  b.  1) 

(ax,  y)  *  and  by  2,  a  ^  y.  Then  (ay,  y)  -*•  *  and 

(ax  +  ail,  y)  -*  *  by  5.  Or 

b. 2)  (ay,  y)  -*  *,  as  above. 

c)  (ax  +  ay,  y)  — ■  p  and  by  3  and  4  (ax,  y)  —  p  or  (ax,  y)  —  p, 
respectively. 

c.  1)  (ax,  y)  —  p  and  by  6.  1  (ax  ©  ay,  y)  —  p. 

c. 2)  (ax,  y)  -*  p  follows  by  symmetry. 

d)  (ax  ©  ay,  y)  -*  p  and  by  6.  1  and  7.  1  either  (ax,  y)  -*>  p  or 
(ary,  y)  — ■  p,  respectively. 

d.  1)  (ax,  y)  — ■  p  and  by  3,  (ax  +  ay,  y)  —  p. 
d.2)  (ay,  y)  -*  p  similarly. 
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For  all  0eL  -  |a  with  x  =  7.  a.x. . 

r  x  L  J  ^  1  1 

[-  +  ^  ]  Let  (  Tj  o'i(xi-o r)  +  §  (P^or))  ©  E  (p^-a)  be  rhs. 

a. or.  =  a  a..  -  a 

ill 

a)  (x-a,(3)  -*  *  implies  either 

a.  1)  (x,  (3)  —  *  and  (x,  a)  —  *  by  15.  As  x  =  E  a.x^ 

then  3  no  x1  such  that  (x,  a-)  =  x1.  E  (x.-a)  is  then 

a,=  a 

the  null  ©  sum.  This  derived  operation  in 

its  null  form  is  in  effect  an  identity  for  both  +  and  ©. 

As  (x,  0)  —  *  then  ^  T  ^(x^-a),  0^  —  *.  Finally, 

a.&  a 

(rhs, a)  —  *. 

a. 2)  3  n  >  1  such  that 

(x.  Of)  — '  x1  A  •  •  •  A  (xn_1  a)  —  xn  A  (xn,  (3)  —  *  by  7.  2. 

As  (x  a)  -*  *  and  (x  ,6)  -*  *  then  (x  -a,  0)  *  by  15. 

n  n  r  '  n  r  1 

Let  us  assume  x-a  rhs  for  i  <  n.  Now  either 

l  ~ 

x  ,  =  /.  a.x  .  ,  in  which  case 
n-i  ^  l  n-L 

a. 2.1)  (xn.1-a)~0(  E  ai<xn-l.“o)  +  §  K-i‘a)) 

a ^  a  l  a^=  a  l 

©  Tj  (x  .  -a).  As  (x  .,a)  —  x  then  3  = 

n- 1 .  n- 1  n  l 

a.=  a  i 

l 

a  with  x  ,  =  x  .  As  (x  -a,  0)  *  so 

n- n  n 

(xn_  ^  -a,0)  -*■  -f.  By  6.2,  as  §  derived  from 

©,  so  (  §  (xn_i  “<*)•  0^  “*■  *  and  by  6.2  again 
ca  =a  i 

(xn_j,-a,  0)  —  *.  Or 

a .  2 . 2  x^_  ^  =  y  ©  z .  By  axiom  [-  ©  ]  we  have 

(xn_^-a)  =  y -a  ©  z-a  and  can  apply  it  repeatedly 

to  get  some  y  (or  z)  of  form  E  a-x  •  We 

i 

then  follow  a.  2.1)  to  again  get  (x  , -a,0)  — *■  *. 

89  n- 1  • 


This  procedure  can  be  repeated  to  get 
(x^-or,  p)  — •  *  with  (x,  or)  —x^  As  x=^  onx. 
then  for  some  i,  a^  =  a  with  x^  =  x^.  We 
therefore  have  (^x.-or,  (3)-*-  *  by  6.2  and  by 
6.2  again  have  (rhs,(3)  — •  *. 

a. 3)  17.3  gives  a  similar  chain  but  with  xq  in  DNF.  We 

argue  as  for  a.  2)  for  one  of  its  CNF  components. 


b)  (rhs,j3)— implies  either  b.  1)  orb.  2)  by  6.2  and  7.2. 

b.l)  (  ^  a^x^-a)  +  §  (x^ahp)—  *.  Condition  5  gives  us 

a  a^=ar 

that  either 

b.i.l)  (  ]]  <z.(x  -or),  (3)  —  *  and  (  §  (x.-ar),  (3)  —  *. 

ast  a  or^=  a 

The  latter  gives  (ax.,  (3)  —  ^  by  2  and  the  former 

gives  (  ^  a.x.,j3)  -•*  *  by  3,4,  and  16.  By  3  and  4 
a^ct  1  1 

again  and  17.2  we  have  (x-a,  (3)  *.  Or 


b.  1.2)  (  Y  *Mxi"a)»P)  —  *  and  Y  is  null,  that  is, 

a^=a 

there  is  no  =  a.  In  this  case  (x,a)  — 1  *  and  . 
15  gives  (x-or,  (3)  —  *. 


b.l. 3)  (  Y  (x.-ar), (3)  *  and  Y  i-3  null*  Thus  all 

a-j=  a  a^~  a 

a.' s  =  a  and  as  (  Y  (x.-ar),  {3)  -*  *  17.2  gives 

a^-a 

(p-or,  (3)  — ■  *. 

b.2)  (  Y  (Xj-a),  |3 -*  *.  As  for  b.l.  3). 
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c)  (x-a»p)  -*■  p  implies  that  either 

c.l)  (x,  (3)  -*p'  and  p  =  p*  -  a.  As  p  =  ^  ajPi  3  some 
such  that  a^  =  (3  and  p^  =  p',  by  3.  For  this  i, 

(ari(pi"af)’  I3)  bY  1*  bY  3,  (  Y  «*(?!"«)  + 

a.=£  a 

Y  (Pi“«)»P)  —  (p'-or)  and  by  6.1,  (rhs,  p)  —  p'-a.  Or 
a^~  a 

c. Z)  ^  some  n  >  1  such  that  (x,  a)  -*•  a  *  *  *  a  (xn_  <*)  “ *  xn 

and  (xq,  (3)  ~ *p'.  Let  us  assume  p-a  ~\  rhs  for  i  <  n. 

By  16,  (x^-of,  j3)  —■  p'-a,  and  as  (xQ_^,a)  “*  xn  then 
(xn_^-a,j3)  —■p'-a  using  equivalence  for  i  ^  n,  as  we 
did  in  a).  Repeating  this  for  i  up  to  n  we  get 
(x^-ar,  |3)  —  p'-a. 

As  (x,  a)  —  x^  and  x  =  Y  <*.x^  then  ^  some  i 

such  that  a^  =  a  and  x^  =  x^ .  As  (x^-a,  p)  —  a  then 

(  Y  (x*-ar)»P)  -*p,-a  by  6.1.  Again  by  6.1, 
ai=  01 

(rhs,  pi  —  p'-a. 

d)  (rhs,p)  —  p  implies  that  either 

d.  1)  (  a.(x.-a)  +  ©1  (x.-a),p)  —  p  and  either 

a^£  a  a.=  a 

d.  1.  1)  (  Y  a.(x.-a),  p)  -*  p  in  which  case  ^  some  i 
atf  a  1  1 

such  that  a^  =  p  and  p  =  (x^-a).  So 

(aiXi*  P^  xi’  anc*  (X»P)  — '  x..  Condition  16  then 

gives  (x-a,  p)  —  x'-a. 
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d.  1.  Z)  (  Y  (x.-a),  (3 )  — ^ p  and  by  6.1). 

a.-cx 

i 

^  Some  i  such  that  ((x^-ar),  |3)  — »  p  and  a  =  or 
As  (osx.,  a)  x.  then  by  3> 

(  Y  BiX-i’  ^  ~~  xi»  i-  e-  *  (p»  a)  —  Xj. 

As  (x.-ar,  p)  — '  p  then  by  16  (x^,  (3 )  —  pT  with  p  =  p'-ar. 
Using  (p,ar)  — *■  x^  and  16.1  we  have  (p-ar,  p)  -•*  p'-ar. 

d.Z)  (  Y  (x.-a),  (3)  — *  p,  as  for  d.  l.Z.  We  therefore  have 

a.  -  a 
l 

p-ar  ~  (  Y  +  Y  (Pi‘a))  ®  2]  (x^-ar)  for  internal  a. 

'asit  a  as  =  or  as  =  a 

-  +  -.1  Let  x  =  /  .  ar.x. . 

ZJ  ^  l  l 

a)  (x-a.p)-—*  implies,  by  16,  that 

(x,  p)  -*  *.  By  5,  for  all  i,  (osx.,  p)  —  *.  Thus 

(  Y  ai(xi~«)*  p)  “**  *• 

ar.£  a 

b)  (  Y  a-.(x.-ar),  p)  — *  *  implies  that  for  all  i  such  that  a.  £  a, 

cc.*  a  1  1  1 

i 

(as(x^-ar),  p)  -*  *.  In  this  case  there  is  no  i  such  that 
as  =  p  in  Zj  ajxx  ’  ^  and  ^x’  P)  “*  *• 

c)  (x-a,  p)  —  p  implies  that  (x,  p)  —  p'  with  p  =  p'-ar,'  by  16. 

Then  ^  some  i  such  that  ar^  =  p,  and  x^  =  p’,  and 

(os^-or),  p)  —■  p'-ar  by  16.  By  3,  (  Y  a^x.-ar),  p)  —  p’-ar. 

as#  a 

d)  (  Y  a.(x.-o),p)  “*■  p  implies,  by  3,  that  ^  i  such  that 

afa  1  1 

as  =£  or  and  (as(x.-or),  p)  p.  By  16,  (ar^,  p)  -*  p1  with 
p  =  p’-a,  and  by  3  (p,p)  — -p’.  This  gives  (p-ar,  &)  -—  p’-a  by  16. 
p-ar  ~  Y  f°r  external  or. 

Q£ 

1  ; 
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f-  «]  We  show  (x  •  y)  -  a  ~  (x-a)  •  (yc*)  for  a  € L  and  a/L  .  Because 
of  this  y-a  =  y.  The  case  with  a  €  Ly  and  a  4  follows  by 
symmetry.  Case  internal  a: 

a)  (x#y)  -  a,  (3)  — ■  *  implies  either 

a.  1)  ((xoy),  p)  —  *  and  (x  •  y),  a)  —  *,  by  15.  In  this  case  either 

a.  1.  1 ) . (x,  p )—  *,  by  12  and  as  (x,a)  — *  *  so  (x-a,p)  —  *by  15. 
By  12,  ((x-a)  •  (y»P)  —  *. 

a.  1.2)  (y,p)  —  *.  By  13,  ((x-a)  •  (y-a),  P)  -*■  *. 

a. 2)  3  some  n  >  1  such  that 

((x  •  y),  a)  —  pl  a  *  *A  (pn-1,er)  —  Pn  and  (pQ,  a)  —  *  and 
(pn,  p)  —  *  by  17.  2.  By  9  we  have  (x,  p)  —  x1  and 
(x^,  a)  —  xz  •  •  •  where  p.^  =  xi*  y  (as  a  ). 

As  (xn,  or)  —  *  and  (xq,  p)  -*■  *  we  have  by  17.2  that 
(x-ar,  p)  -*•  *.  By  12,  ((x-a)  *y,  p)  —  Or 

a.  3)  By  17.3  we  have  a  similar  chain  but  with  p^  in  DNF . 

Follows  a.  2)  for  some  CNF  component. 

b)  ((x-a)  »y,p)  —  *  implies  either 

b. l)  (x-a,p)  *,  in  which  case  either 

b.  1.  1)  (x,  a)  —  *  and  (x,  p)  —  *  and  by  12,  (x  •  y,  a)  —  * 
and  (x  •  y,  p)  -*•  *.  By  15,  ((x  •  y)-a,  P)  —  *. 

b.  1. 2)  ^  some  n  >  1  such  that  (x,  a)  ~*x1  A  •  *  •  A  (xn_  or)  — 

(x^,  a)  —  *  and  (xn>  P)  “*  *»  by  17.2.  As 
a  4  L'yj  by  9  we  have 


x  a 

n 
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(x  «y,  a)  — ■  (xi  #y)  a  .  .  .  (xq_1  •  y,  or)  —  (xn  •  y) 
and  ((x^  •  y),  a)  —  *  and  ((xn  •  y),  (3)  —  *.  By 
17.2,  ((x  •  y)-or),  p)  —  *. 

b.  1. 3)  by  17.3  we  have  a  similar  chain  with  DNF  x^.  As 
for  b.  1.2)  with  a  CNF  component. 

b.  2)  (y,  p)  —  *  and  by  13,  (x  •  y,  p)  —  *. 

b.  2.  1)  (x,  a)  “*  *  and  as  a  4 L^,  (x  •  y,  a)  —  *  and  by  15, 

((x  •  y)-  or),  (3)  —  *. 

b. 2.2)  (x,  ar)“»x.A*«*A(x  ,  ar)  — 1 *  *  A  (x  p)  — * 

in  n 

As  a  4  L  then  (x  •  y,  a)  x^  •  y  A  ...  a  (x^  #  y,  a)  * 
and  (xn  •  y,  p)  —  By  17.  2,  ((x  •y)-n,  p)  —  *. 

c)  ((x  •  y  )-ar,  p)  —*  p  implies 

c  .  1)  (x  •  y,  P)  —  p'  and  p  =  p'-a,  by  16. 

c.  1.  1)  p  4  L  and  9  gives 

(x,  p)  —  p"  with  p'  =  p"  •  y.  By  16, 

(x-a,p)  -*  p"-a  and  as  p  4  L ^  9  gives 

(x-a  sy-ii,  p)  —  (p"-a)  *(y-a).  Now 

(p"  •  y )-a  ~  (p"-ar)  •  (y-a)  by  an  inductive 

argument  on  our  indexed  definition  of  as  required. 

c.1.2)  p  4  L  >  as  for  c.i.l)  by  symmetry  using  10. 

c.1.3)  a  4  similar  to  c.1.1)  using  II. 
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c-2h  3  some  n  such  that  (x  •  y,  a)  — 1 ■*  x^  •  y  a  •  •  •  a 

a  ((x  .  m  y),  or)  —  x  and  (x  •  y,  a)  — ■  *  and 

el-  i  n  n 

(xq  •  y,  (3)  p1  with  p  =  p'-ar.  For  this  (x,  a)  x^  a  .  .  . 

a  (x  . ,  a)  —  x  and  (x  ,  a)  —  *  ,  by  9.  Now 
n-  inn 

(xq  •  y,|3)  -*  p'  in  three  ways  by  9>  10,  and  11. 

c.  2.  1)  (3  4  L  and  9  gives  (x  ,  (3)  —  p"  with  p'  =  p"  •  y. 

y  ^ 

By  17.  1  (x-a,  (3)  —  p"-a  and  as  |3  4  Ly,  by  9 
(x-ar  •  y,  p)  —  (pM-a)  •  y.  Now 

(p"  •  y)-a  ~  (p"-af)  •  y  by  an  inductive  argument 
on  the  indexed  definition  of  as  required. 

c.2.2)  p  ^  follows  similarly  using  10. 

c. 2.3)  peL  n  L  follows  using  11. 

x  y 

d)  ((x-ar)  •  y,p)  —  p  implies  either 

d.  1)  (x-ar,  p)  -»  p',  P  4  Ly  with  p  =  p'  •  y>  by  9.  This  arises 
with  either 

d.  1.  1)  (x,  p)  —  p"  where  p1  =  p"-ar.  As  p  4  Ly  9  gives 

(x  •  y,  p)  p"  •  y  and  16  gives  ({x*y)-a,  p)  — 

(p"  • y)-a .  As  p  =  (p"-ar)  my  then  (p"-ar)  my  ~ 

(p"  •y)-ar  by  induction  on  definition  of  ~. 

d.l.a)  3  n  where  (x,  ar)  — •  x,  a  •••  a  (x  . ,  ar)  —  x  and 

l  n- 1  n 

(x  ,  a)  -*  *  and  (x  ,  p)  — ►  p' 1  where  p1  =  p1 ' -a. 
n  n 

As  or,  p  4  Ly  ,  (x  «y,  a)  —  (x1  «y)  A  .  •  •  a  (xfl_1  my,  a) 

— ■  xn  my  and  (xq  my,  a)  — ■  *  and  (xn  *y,  p)  —  p"  my. 
By  17.  1,  ((x  •  y)-ar,p)  (p"  •  y )-ar.  Now 
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p  =  (pM-a)  «y  ~  (p"  •y)”a,  by  induction  on 
definition  of  ~  . 

d.  2)  (y,p)  —  p'»  (3  4  Lx>  follows  in  a  simpler  way. 

d.  3)  (x-a,  j3)  —  p1  and  (y,p)  —  p"  .  Follows  in  a  similar 

manner  to  d.  1). 

We  now  have  (x#y)-a  ~  (x-a)  #y  for  internal  a  such  that  a  4  ie 

case  with  a  4  L-x  follows  by  symmetry. 

Case  external  a:-  Again  assume  x  and  y  in  CNF  as  laws  [-  ©  ]  and 
[£>  •  ]  can  be  used  to  get  this. 

a)  ((x  •  y)-a,  (3)  —  *  implies  by  18  that  (x  •  y,  P)  — '  *  Either 
(x,  (3)  -*  *  or  (y,(3)  —  *, 

a.  1)  (x,  |3)  —  *  and  by  18,  (x-a,  p)  — -  *  and  (x-or  •  y,  (3)  — ■*,  by  12. 

a.  2)  (y,  (3)  — •  *  and  by  13,  (x-a  •  y.  |3)  — ’  *• 

b)  (x-a  •  y, p)  ~ *  *.  By  12  and  13  either 

b.  1)  (x-a,p)  —  5,1  in  which  case  (x,  p)  —  *,  by  18.  Then 

(x  •  y,  p)  — ■  *  by  12  and  ((x  •  y)-a,  p )  —  *  by  18,  as  a  is 
external. 

b.  2)  (y,  p)  -*■  *  and  so  (x  •  y,  p)  —  *  by  13,  and 

((x  •  y)-a,p)  -*■  *  by  18. 

c)  ((x  *y)-a,  p)  —  p  implies  by  16  that  (x*y,p)-~p<  where  p  =  p'-a 

c .  1)  By  9,  (x,  p)  -*■  pM  and  p  4  L  with  p’  =  pn  f  y  then 

(x-a,  p)  —  p"-a,  by  16  and  (x-a  •  y,  P)  — •  (p"-ar)  •  y  by  9. 
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Now  p  =  (p"  •  y)-a  ~  (p"-a)  •  y  by  induction  on 
definition  of  ~ . 

c  .  2)  By  10,  (y,  (3)  —  p"  and  (3  4  I_x.  As  for  c.  1)  using  10. 

c.  3)  By  11,  (x,  (3)  — ■  p"  and  (y,  (3)  —  pIM  .  As  for  c.  1)  using  11. 

d)  ((x-a)  •  y,  p)  —  p  implies  that 

d.  1)  (x-a, p)  —  p1  and  (3  4  with  p  =  p1  •  y.  By  16  we  have 

(x,  (3)  -»  p"  where  p1  =  p"-a.  By  9>  (x  •  y,  (3)  -•  p"  •  y 
and  by  16  ((x  •  y)-a,  p)  — *  (p"  •  y)-a.  Now 
p  =  (p"-a)  #  y  ~  (p"  •  y)-a  by  induction  on  definition  of 

d.2)  (y,p)-*p(  and  p  4  Lx»  with  p  =  (x-a)  •  p1  and 

((x  «y),  p)  — ■  x  •  p1,  by  10.  (x  •  y)-a,  p)  —  (x  •  p' )-a  by  16. 

Now  p  =  (x-a)  p'  ~  (x  #p')-a  by  induction  on  ~  . 

d.3)  (x-a,p)  —  p'  and  (y,  p)  -♦  p"  follows  in  a  similar  fashion 

to  d.  1)  using  1 1. 

Now  have  that  (x  •  y)  -  a  ~  (x-a)  •  y  for  external  a.  The  case  with 
a  4  L  »  i.  e. ,  (x  •  y)-a  ~  x  •  (y-a)  follows  by  symmetry. 

[-©]  Show  (x  ©y)-a  ~  (x-a)  ©  (y-a)  for  CNF  x  and  y. 
a)  ((x  ©y)-a,p)  —  *  if  either 

a.  1)  by  19>  (x-a,  p)  -*•  *  and  so  ((x-a)  ©  (y-a),  p)  — ■  *,  by  6.  2. 
or  a.  2)  by  20,  (y-a,  p)  —  *.  As  for  a.  1) 
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b)  ((x-a)  ©  (y-a),p)  *  implies  that  either 

b.l)  by  6.2,  ((x-a),  (3)  —  *  hence,  ((x-a)  ©  (y-or),  (3)  — *  *,  by  19. 

b.  2)  by  7.  2,  ((y-a),  p )  ~ *•  *.  As  for  b.  1). 

c)  ((x  ©  y)  -a,p)  —  p  implies  either 

c.  1)  for  internal  or  external  a  :-  by  16,  (x  ©  y,  (3)  —  p' 

with  p  =  p'-a.  Either 

c.  1.  1)  (x,j3)  -*p'  by  6.  1,  and 

(x-a,P)  —  p'-a  by  16,  and 
((x-a)  ©  (y-a),P)  -~p'-a  by  6.  1. 

c.  1.2)  (y,  (3)  — •  p‘  by  7.  1.  As  for  c.  1.  1). 

c. 2)  for  internal  a  only:-  by  17.  1  jjj  some  n  such  that 

(x  ©  y,  a)  — ■  p1  A  (p^,  a)  —  p^  A  •  •  •  a  (p&,  p)  —  p1  with 
p  =  p'-a.  Either 

c.2.  1)  by  6.  1,  (x,  a)  —  p^  and  by  above  (x-a,  p)  —  p  and 
((x-a)  ©  (x-a),  P)  —  p',  by  6.1.  Or 

c. 2. 2)  by  7.  1,  (y,  a)  -*  p^.  As  for  c.  2.  1). 

d.  ((x-a)  ©  (y-a)»P)-^p  which  implies  that  either 

d.  1)  by  6.1,  (x-a,  p)  -*  p.  Now  either 

d.  1.  1)  for  internal  and  external  a:-  by  16,  (x,  p)  =*■  p* 

where  p  =  p'-a.  Now  (x  ©  y,  p)  —  p'  by  6.  1  and 
((x  ©  y)-a,  P)  —  p  by  16. 
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<-  d.  1.2)  for  internal  or  only:-  by  17.  1  ^  some  n  such  that 

(x,«)  -  p1  a  ...  a  (p  ,  p)  — ■  p'  where  p  =  p'-a. 

By  6.  1,  (x  ©  y,  ar)  — -  p^  and  ((x  ©  y )-ar,  f3)  —  p 
follows  by  17.  1. 

d.2)  by  7.  1,  (y-ar,  p)  p.  As  for  d.  1).  We  now  have  that 
(x  ©y)-ar  ~  (x-ar)  ©  (y-ar). 

[--]  Show  x-ar-p  ~  x-p-ar.  Case  CNF  x;  that  is,  x  =  V  7.x.. 

•  IX 
1 

a)  Case  internal  or  and  p:-  (x-ar-p,  y)  —  *  if  either,  for  CNF  x-a, 

a.  1)  by  15,  (x-ar,  y)  =  {*}  and  (x-ar,  p)  =  {*}  for  CNF  x-ar. 

Now  (x-ar,  y)  =  {*}  if  either 

a. 1.1)  by  15,  (x.  y)  =  {*  }  and  (x,  or)  =  {  .  Now 

(x-ar,  p)  =  {*}  if  (x,  p)  =  {*}  since  (p,  ar)  =  {*}. 

By  15,  (x-p,  y)  =  {*}  and  (x-p,ar)  =  {*  }  and 
(x-p-or,  y)  =  {*},  by  15  again. 

a.  1.2)  by  17.  2,  j]  n  such  that 

(x,  or)  —  p^  a  .  . .  a  (p  ,  a)  -*•  *  and  (pQ,  y)  —  #. 

As  (x-ar,  p)  —  *  and  (x,  or)  —  p^  i.  e. ,  (p,  ar)  ±  {  *}, 

3  m  such  that  (x,  ar)  -*  q1  a  *  *  *  A  (clm*  ar)  *  and 
(qm,  p)  —  Then,  (x-p,  y)  —  *  by  17.  2.  As 
(x,  or)  -►  a  •  •  •  then  (x-p,  a)  -*•  q^-p  a  ...  a 
(qm-p,ar)  —  *  and  (qm-p,  y)  — *  *,  by  16  and  15  or 
19  and  20  depending  on  whether  qm  is  in  CNF  or  DNF. 
This  gives  (x-p-ar,  y)  —  *  by  17.2. 
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a.  2)  by  17.2  ^  some  n  such  that 

(x-ofi (3)  —  a  •  a  (Pn>§)  —  *  A  (pQ,  y)  —  *  and 
p  is  in  CNF.  Suppose  n  =  1,  then  (p,,p)  -*■  *  and 
(p^.y)  “*■  *  and  p^  is  in  CNF.  Now  (x-ar,p)  -*■  p^  in 
one  of  two  ways:- 

a.  2.  1)  by  16,  (x,  (3)  —  p'  and  =  P'-ar.  As  p'-c  is  in 

CNF  then  so  is  p1 .  Now  (p'-a.p)  -*•  *  either  by 

a.  2.  1.1)  (p\p)  =  {*}  and  (p't  a)  =  {*}  and 

(p'-or,  y)  —  *  by  15  with  (p1 ,  y)  =  {*} 

and  (p1 ,  a)  -  {  *  }  and  by  17.2  and 

(x,  (3)  —  p1,  (x-p,y)  =  {*}  and 

(x-(3,  O')  =  {*}  and  (x-p-or,  y)  —  by  15. 

or  a.  2.  1.2)  such  that,  by  17.2, 

(p' ,  a)  —  a  ...  a  (p^,  or)  =  {*}  and 
(p^,(3)={*}  and  (p'-a,  y)  — *•  *  with  some 
m  such  that  (p1,  a)  — ■  p^A  ...  a  (p^,  a)  =  {*} 
and  (p!  ,  y)  =  {  *  }  •  New  as 
(x,  (3)  — •  p'  we  have  (x-p,  a)  —  p ^ .  By  16, 
we  have  (p'^-p,  a)  p^-p  a  ■  •  •  A  (p^,-p,  a)  = 
{ *}  A  (p^-p,  y)  =  {*}.  Then  r  =  m  as 
(Pr»  =  {*}  and  (p^,  a)  =  {*}  and  17.2 
gives  (x-p-or)  -*■  *,  as  required. 
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,  :  a.  3)  for  DNF  x-a,  then  x-a  =  x^a  ©  x2~a  for  some  xi  anti 

x^»  by  axiom  [-  ©].  Then  (x-a-p>  y)  #  if  either 
(x^-a-p,  y)  —  *  or  (x,-a-p,  y)  —  *  by  19  and  20,  and  we 
can  assume  Xj^  and  x^  are  in  CNF  or  else  we  repeat 
the  above  argument.  Then  it  is  only  necessary  to  show 
(x'-a-p,y)  -*  *  for  some  CNF  x'  and  the  other  cases 
follow  by  symmetry. 

Case  internal  a  and  external  p:- 

(x-a-p,y)  —  *  if  (x-a,  y)  =  {*}  for  CNF  x-a.  Follows  a.  1) 
above.  Again  we  only  need  consider  the  CNF  case. 

Case  external  8  and  internal  a:- 

Follows  by  only  considering  certain  of  the  cases  above. 

Case  external  a  and  external  (3;- 

Here  (x-a-p,  y)  —  *  if  (xTa,  y)  =  {*  }  which  arises  when 
(x,  y)  =  {*  }  by  18.  Then  (x-p,  y)  =  {*}  and  (x-p-a,  y)  =  {*}  again  by 
18  as  we  only  need  consider  CNF  expression.  Hence  (x-p-a,  y)  —  *. 

We  now  have  completed  part  a)  of  the  proof. 

Part  b)  follows  by  symmetry. 

c)  (x-p-a,  y)  —  p  implies  either 

c.l)  by  16,  (x-p,  y)  -*■  p'  where  p  =  p'  -  a  implies  either 

c.  1.  1)  by  16,  (x,  y)  -*■  p"  where  p'  =  p"  -  p.  By  16, 

(x-a,  y)  p"-a  and  (x-a-p,y)  -*’p"-a-p,  by  16  again. 
Now  p  =  p"-p-a  ~  p"-a-p  by  an  inductive  argument  on 
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c.  2)  by  17.  1,  (x-p,  or)  —  A  (p^ar)  —  p2  a  ...  •  a  (p^,  y)  —  p< 
where  p  =  p'-a.  Suppose  n  =  1,  then  (p  1,  y)  — ■  p' .  Now 
(x-p,  a)  —  pt  if  either 

c .  2 .  1 )  by  16,  (x,  or)  —  p't  with  pt  =  p^-p.  As 

(p'-p.-y)  —  p1  then  by  16  (p^,  y)  p"  where 
p'  =  p"-p.  As  (x,  a)  —  p'A  and  (p^,  y)  —  p"  we  get 
(x-ar,  y)  —  p"-a  by  17.1  and  (x-ar-p,  y)  — ■  p'  '-ar-p,  by  16. 
Now  p  =  pM-p-a  -  pM-a-p  by  our  inductive 
argument  on  ~.  Or 

c.2.2)  by  17.1,  ^  some  m  where  (x,  p)  —  x^  a  . .  .  a 
(xm,  a)  —  pj,  where  pA  =  p^-p  and  by  16 
(x-a,  P)  —  xt  a  (Xl-a,p)  —  x2  a  .  •  •  a  (xm-1-«,  p)  -*xrn. 
As  n  =  1,  (p^-p,  y)  —  P1  and  so  (p^,  y)  —  p"  by  16. 

As  we  also  have  (xm>  a)  -*■  p1^  then  17.1  gives 
(x  -a,  y)  -*■  p "-a  and  by  the  (x-a, P)  -*-x.  string 
above,  and  17.1  we  get  (x-ce-p,  y)  p"-ar-p . 

Now  p  =  p"-p-a  and  we  use  an  inductive  argument 
to  get  p" -p-ar  ~  p' '-ar-p .  We 

We  have  shown  b.  2)  for  n  =  2  by  showing  for 
the  two  ways  in  which  (x-p,y)  —  p..  For  any  i, 

(p^,a)  —  p.  +  ^  in  a  similar  way,  and  so  for  any  n 
we  will  have  2  X  n  cases  where  each  is  like 
c.2.1)  or  c.2.2).  Then  for  any  n,  we  have  c.2). 

d)  (x-ar-p,  y)  —  p  follows  exactly  as  c)  by  symmetry. 

We  now  have  p-ar-p  ~  p-p-ar,  as  required. 
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ERRATA 


Page  7 

line  4  -  "arj  +  Br2"  should  read  "ar  +  3s" 

Page  8 

line  2  -  "<B  roots"  should  read  "0  roots" 

para.  3,  line  6  -  "event  x"  should  read  "event  a" 

Page  9 

diagram  1  -  The  a  on  the  left-hand-side  of  the  leftmost  box 

should  be  replaced  by  a  y. 


Page  16 

para.  2,  line  1  -  "(a,p,a)  -*■  p"  should  be  replaced  by  "(ap,a)  p" 


Page  43 

line  -  6  - 


'g{.(10  1)  pi,(i  ©  1)  f\"  should  read 


"8£(i©  i)  p£(i  ©  i)  Fi" 


Page  45 

line  8  - 


"r.  9  1"  should  read  "r.Q1" 
i  i©l 


Page  52 

after  the  last  line  add  in  the  following: 

[/■«]  (EpJteA*]  =(E(p±te/a])) 


Page  71 
line  4  - 


"the  calculus"  should  be  replaced  by 


II 


the  X  calculus" 


